Extract vector encoding queue

[mariusvniekerk]

Vector encoding queues were previously only available inside msgvault, which made the crash-safe claim/release/complete mechanics hard to reuse in other Kenn tools. This PR moves that SQL-backed task queue into kit as an app-neutral helper while keeping schema ownership with callers.

The queue validates configured table and column identifiers before interpolating SQL, supports transactional bulk enqueue for callers that need to select groups and insert work atomically, and preserves msgvault's existing pending_embeddings table shape as the default schema.

Validation: go test ./...; go vet ./...

^{generated by a clanker}

[roborev-ci]

roborev: Combined Review (e07897b)

No issues found.

---

Panel: ci_default_security | Synthesis: codex | Members: codex_default (codex/default, done, 2m25s), codex_security (codex/security, done, 1m25s) | Total: 3m50s

[wesm]

how does this relate to kenn-io/msgvault#411?

[mariusvniekerk]

doesn't yet? i guess we can reframe it based on that?

[wesm]

yeah, let met take a closer look at that and see if it makes sense to merge and then we can reassess. I agree it doesn't make sense for every project to have its own vector embedding pipeline management system

[roborev-ci]

roborev: Combined Review (061a0a3)

Medium-risk issues remain in the vector toolkit changes.

Medium

• vector/sqlitevec/store.go:93 - SaveVectors ignores RowsAffected when stamping the source document. If the document was deleted between scan and save, or a caller passes a missing key, the transaction can commit orphan vector rows that QueryGeneration may later return. Check the update result and roll back when no source row was stamped.

• vector/generation.go:42 - Fingerprint serializes params as key=value\n without escaping or length delimiters, so different configs can hash the same preimage, such as a value containing \nother=value. Use length-prefixed fields or a structured sorted encoding before hashing.

---

Panel: ci_default_security | Synthesis: codex, 6s | Members: codex_default (codex/default, done, 4m27s), codex_security (codex/security, done, 2m2s) | Total: 6m35s

[roborev-ci]

roborev: Combined Review (792a47d)

Medium-risk issue found; no Critical or High findings.

Medium

• vector/sqlitevec/store.go:180 - QueryGeneration joins KNN results only to the chunk map, so vectors for documents deleted after embedding can still be returned as hits. Filter results against Schema.DocsTable on the configured id column, or add source-row deletion cleanup; add a test that embeds a document, deletes it, and verifies search no longer returns it.

---

Panel: ci_default_security | Synthesis: codex, 8s | Members: codex_default (codex/default, done, 3m15s), codex_security (codex/security, done, 2m16s) | Total: 5m39s

[mariusvniekerk]

The comment by roborev is mostly worthless for the last one since thats more or less just an exampe

[roborev-ci]

roborev: Combined Review (2a9fde1)

PR has two medium findings; no high or critical issues were reported.

Medium

• vector/encode.go:83: EncodeBatched checks failed() before blocking on the semaphore. If an in-flight batch sets firstErr while the loop is waiting for capacity, the next batch can still launch after the semaphore is released, causing extra encoder/provider calls despite the documented “stops launching work at the first error” behavior.
  Fix: Re-check firstErr and ctx.Err() immediately after acquiring the semaphore, release the slot, and stop dispatching if work should stop.

• vector/sqlitevec/store.go:180: QueryGeneration joins KNN results only to the chunk map, not back to the caller’s documents table. If a document is deleted after vectors are saved, stale chunk rows can still return hits for a document that no longer exists.
  Fix: Join the configured documents table on IDColumn when returning hits, or add cascading cleanup for deleted documents, with a regression test for deleted documents not being returned.

---

Panel: ci_default_security | Synthesis: codex, 8s | Members: codex_default (codex/default, done, 3m15s), codex_security (codex/security, done, 15s) | Total: 3m38s

[wesm]

Codex posting on behalf of Wes.

I like the direction this PR landed on after the pivot away from extracting the old pending_embeddings queue. That queue is no longer the durable shared abstraction for msgvault, especially with kenn-io/msgvault#411 moving embedding work to scan-and-fill coverage.

The reusable pieces here look like the right layer for kit:

• generation identity/fingerprinting for model + dimension + embedding-affecting params
• chunk splitting and batched encode orchestration
• a backend-neutral Store[K,G] boundary
• scan-and-fill flow over that store
• live-generation search fanout plus merge semantics during active/building migrations
• sqlitevec as a reference/default backend for new SQLite-backed projects

For msgvault specifically, I would not try to consume this immediately before merging kenn-io/msgvault#411. Msgvault still has extra production semantics around mutable message CAS, watermark/backstop recovery, skip/delete handling, lifecycle gates, stats, filters, and hybrid FTS/vector search. But those feel like product/backend-specific layers above this package, not arguments against the extraction.

One caveat for future evolution: the current Fill contract only passes {Doc, Content} through Pending, so projects with mutable source rows need to hide content-version/CAS checks inside their store implementation. If we want this to become the common production fill loop for msgvault-like systems, we may eventually want an explicit version token or CAS-aware save shape.

Overall: this seems like a good foundation for reusable vector infrastructure, and msgvault#411 is useful context for why scan-and-fill/generation merge is the right shared direction rather than a reusable pending queue.