feat(sdk,mcp): programmatic + agent access to OKF export/import

[ethanj]

What

Makes OKF export/import reachable from the SDK and the MCP server, not just the CLI. All three surfaces now share one output-free core, so they can't drift.

Shared core. OKF orchestration is extracted out of the CLI commands into runOkfExport(root, opts) and runOkfImport(root, dir, opts) — output-free functions that return structured reports. Warnings and skips are returned as data rather than printed (the read/collision/validate stages no longer write to stdout), so a library or an MCP stdio server gets clean results. The CLI commands now delegate to these cores and keep their existing presentation.

SDK (createWiki()):

• wiki.exportOkf({ out? }) → { outDir, writtenPaths }
• wiki.importOkf(dir, { trusted?, dryRun? }) → { mode, pages, skipped, warnings, nextAction }
• Defaults mirror the CLI: staged review candidates, trusted:false, dryRun:false. As application code, an SDK caller owns the explicit trusted:true escape hatch (writes live and runs the full refresh — links/index/MOC/embeddings). Report types and the typed errors are exported from the package entry point.

MCP (new src/mcp/okf-tools.ts):

• export_okf — export the wiki as a bundle.
• import_okf — staging-only: imports are always staged as review candidates (no trusted surface is exposed to agents), so external knowledge always passes a human review/approval gate before it can enter the wiki. Supports dryRun previews and returns a nextAction that states the review requirement explicitly.

Trust boundary

Import treats bundles as untrusted, and the boundary is uniform across surfaces: nothing reaches the live wiki without either an explicit caller trusted:true (SDK/CLI — caller-owned) or human review (MCP and the default path). The MCP tools add agent-surface safety: a shared path-confinement primitive (confineUnderRoot) keeps an agent-supplied path inside the project root for both tools (rejecting .., absolute, and symlinked-ancestor escapes), import staging is bounded by a pending-candidate cap, and both handlers run silently so they can never corrupt the JSON-RPC stdio stream. Lock contention and a full queue surface as typed errors mapped to clean tool results.

Test plan

• npx tsc --noEmit, npm run build, npm test (1637 passed), npx fallow (0 above threshold), dupes clean
• Output-free core: runOkfExport/runOkfImport emit zero stdout/stderr on the staged/dry-run paths (asserted via a shared assertNoOutput helper), incl. a wiki with a missing-source citation that would otherwise print
• confineUnderRoot direct tests: .., absolute-outside, existing-symlink-escape, fresh-child-under-symlinked-parent, and valid-inside/fresh-default
• SDK: exportOkf writes a bundle; importOkf stages by default; dryRun stages nothing; trusted writes live
• MCP: export_okf confined (rejects out-of-root); import_okf staging-only (no trusted reachable), confined (rejects dir-out-of-root), and refused past the candidate cap; a real stdio JSON-RPC round-trip drives the built server
• Behavior-preserving: existing CLI okf-import-*/okf-export-cli tests stay green; src/mcp/tools.ts untouched