Add @constructive-io/provisioning-handlers package with 4 built-in task
handlers that create K8s infrastructure when function definitions are
inserted/updated in the database:
- namespace:provision — creates K8s namespaces
- namespace:sync-secrets — syncs DB secrets to K8s Secrets
- function:provision — creates Knative Services from function definitions
- function:sync-resources — updates Knative Service specs on changes
All handlers are idempotent (handle 409 Conflict) and gracefully skip
in dev mode when K8S_API_URL is not set.
Wire into compute-worker via doWorkProvisioning() dispatch method.
Update PlatformFunctionDefinition with image/scaling/resource fields.
Update FunctionDiscovery SQL to include new columns.

Remove namespace:provision and function:provision from queue handlers.
Create logic now lives in seed.ts — run manually via CLI.
Queue handlers (2 remaining):
 - namespace:sync-secrets — triggered on secret changes
 - function:sync-resources — triggered on function definition updates
Key changes:
 - Remove k8sApiUrl from ProvisioningContext — handlers read env
 - Add k8s-client.ts (getK8sClient, isConflict, isNotFound)
 - Add knative.ts (shared buildKnativeServiceSpec, resolveNamespaceName)
 - Add seed.ts with provision() and bin/provision.ts CLI entry point
 - Add jest moduleNameMapper for workspace packages
 - Add @kubernetesjs/ops mock for unit tests
 - 3 integration test suites (registry, devmode, knative helpers)
 - E2E test suite for kind cluster
 - New CI workflow: test-provisioning.yaml

The E2E tests need the real @kubernetesjs/ops client when running
against a kind cluster. The module resolves from node_modules.

Jest auto-mocks modules in __mocks__/ adjacent to node_modules.
The E2E tests need the real InterwebClient methods (readCoreV1Namespace etc.)
which were missing from the mock.

Minimal workflow to validate feasibility:
1. Create kind cluster
2. Install Knative Serving CRDs + core
3. Install Kourier networking layer
4. Deploy a test Knative Service
5. Verify it reaches Ready state

Full end-to-end test that exercises the provisioning flow:
1. Bootstraps minimal DB with namespace + function definition
2. Calls provision() seed to create K8s namespaces, secrets, Knative Services
3. Verifies ksvc reaches Ready state
4. Calls the function via Kourier gateway
5. Verifies the response contains expected data from the DB secret
6. Validates idempotent re-run
Uses kind cluster + Knative Serving v1.17.0 + Kourier + PostgreSQL service.

- Fetch existing ksvc resourceVersion before replace (PUT requires it)
- Switch HTTP test from Kourier port-forward to kubectl run + in-cluster curl
- Remove Kourier port-forward from workflow (not needed)
- Fix knative.ts metadata type to allow optional resourceVersion

The Knative admission webhook rejects replace (PUT) when immutable
annotations like serving.knative.dev/creator are missing. Now the
replace path fetches the existing service first and merges its
annotations and labels into the new spec.

...20.0
- Add standard k8s labels (managed-by, part-of, component, name, instance)
- Add networking.knative.dev/visibility: cluster-local label
- Add explicit containerPort: 8080
- Add /tmp emptyDir volume + volumeMount (writable scratch space)
- Add autoscaling.knative.dev/target annotation support
- Extract mergeAndReplace() helper shared by seed + sync handler
- Export KnativeServiceSpec type for downstream consumers
- Bump Knative version from v1.17.0 to v1.20.0 in all CI workflows
- Update unit tests to verify labels, ports, volumes, target annotation

- Import types from @kubernetesjs/ops (ServingKnativeDevV1Service, Secret,
 Namespace, InterwebClient) instead of hand-rolling interfaces
- Define typed DB row interfaces (NamespaceRow, SecretRow,
 FunctionDefinitionRow) — use pool.query<T>() eliminating unsafe casts
- Generic ProvisioningHandler<P, R> type (typed payload/result per handler)
- Pass ComputeModuleLoader through ProvisioningContext from compute-worker
 (shared TTL-cached instance, stop creating per-call)
- Extract mergeAndReplace() into k8s-ops.ts (proper module boundary)
- buildKnativeServiceSpec() accepts KnativeBuilderInput (Pick<FunctionDefinitionRow>)
- DI pattern for K8s client: createK8sClient(url) pure factory + getK8sClient()
 env-reading convenience at the edge
- Decompose seed into provisionNamespaces/syncNamespaceSecrets/provisionFunctions
- K8s error type guards with proper type predicates
- Update tests to match new handler signatures

The provisioning seed now selects scale_target from function_definitions.
The E2E bootstrap SQL was missing this column, causing a query failure.

- Add ModuleConfigLoader<T> generic base class with TTL caching,
 per-database_id resolution, and AmbiguousScopeError for multi-scope
- Add NamespaceModuleLoader, SecretsModuleLoader, StorageModuleLoader
- Refactor ComputeModuleLoader into sub-loaders (function, invocation,
 computeLog, graphExecution) using generic base
- Refactor BillingLoader to use generic base internally
- Update ModuleLoader facade to compose all 6 loader types
- Fix worker scope derivation: entity_type || null (not entity_id ternary)
- Fix InvocationTracker to use loader.invocation.load(dbId, scope)
- Update provisioning handlers to resolve tables via module loader
- Update seed to use ModuleLoader for namespace/secrets/function resolution
- Update resolveNamespaceName to accept module-resolved schema/table
- Update E2E bootstrap SQL with proper module registrations
- Update integration tests to match new ModuleLoader API

The ProvisioningContext expects a ModuleLoader (with namespace/secrets/storage
sub-loaders), not a ComputeModuleLoader. Create a ModuleLoader instance
alongside the existing ComputeModuleLoader and pass it to provisioning handlers.

The namespaces table moved from metaschema_public.namespace to
constructive_infra_public.platform_namespaces (module-resolved).