feat(dataset): pre-flight for dataset push (PR-a of #151)

[saadqbal]

Summary

Phase 3 (tracebloc/client#151) lands in two PRs to keep diffs reviewable.
This PR-a is the no-op-safe pre-flight: synthesize the ingest spec from flags, validate against the embedded ingest.v1 schema, walk the local directory, discover the cluster's parent release + shared PVC, print a summary. Then either stop (--dry-run) or fail cleanly with "wait for PR-b" so a customer running PR-a's binary doesn't see "0 files transferred" confusion.

PR-b (next) plugs the novel-engineering core into the TODO: PR-b branch at the end of runDatasetPush: ephemeral stage Pod (alpine 3.20 pinned by digest), client-go remotecommand SPDY executor + tar-over-exec stream, schollz/progressbar/v3, SIGINT-safe cleanup.

What this PR adds

• internal/push/ (new package): SpecArgs.Build() (flag→spec, schema-driven), Discover() (layout + size caps: 1 GiB total, 500 MiB per file, accepts .jpg/.jpeg/.png/.webp case-insensitive).
• internal/cluster/pvc.go: DiscoverSharedPVC() against the chart's client-pvc (hardcoded by _helpers.tpl), verifies Bound phase, surfaces access modes for PR-b's stage-Pod scheduling warning.
• internal/cli/dataset.go: tracebloc dataset push <local-path> with --table/--category/--intent/--label-column/--dry-run/--ingestor-sa plus the kubeconfig flag trio. Pre-flight ordering "fail fast, fail local" — every check that doesn't need the cluster runs first.

Exit code contract

Code	Cause
0	--dry-run succeeded (or — once PR-b lands — the full push)
2	Schema validation failed on the synthesized spec
3	Local-layout or kubeconfig error
4	Cluster reachable but parent release / shared PVC missing
6	Pre-flight succeeded but staging not yet implemented (PR-b will deliver)

Exit 6 is new and distinct from Phase 2's exit 5 (no usable SA token) so the next PR's tests can assert the exact code without conflicting with Phase 2's contract.

Why image_classification only

Per epic tracebloc/client#147 v0.1 non-goals — other categories are one-PR additions in v0.2. --category does not pre-validate; the embedded schema's enum check is the single source of truth (avoiding Go-side drift the moment data-ingestors adds a new category).

Test plan

• go vet ./... — green
• go test -race -cover ./... — green (push 81.0%, cluster 83.2%, schema 80.7%, cli 52.0%)
• gofmt -s -l . — no drift
• errcheck ./... — green
• Binary smoke: tracebloc dataset push <real-layout> --kubeconfig=/missing → exit 3 with clear error chain
• Schema-failure smoke: --intent=potato → exit 2 with "value must be one of 'train', 'test'" on stderr
• Real-cluster --dry-run against EKS (deferred to PR-b's full integration test)

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

---

Note

Medium Risk
Adds a new CLI subcommand that validates user input, walks local files, and queries Kubernetes for the parent release/PVC; while it’s pre-flight only, it touches filesystem and cluster discovery paths that can affect user workflows and error/exit-code contracts.

Overview
Introduces a new tracebloc dataset push <local-path> command that performs a no-op-safe pre-flight: validates --table against path traversal, synthesizes an ingest spec from flags and validates it against the embedded schema, walks the local dataset layout (including v0.1 size caps), discovers the target cluster’s parent release and shared PVC, then prints a single-screen readiness summary.

Adds a new internal/push package for spec construction (SpecArgs.Build, StagedPrefix, ValidateTableName) and local layout discovery (Discover, HumanBytes), plus cluster.DiscoverSharedPVC to verify client-pvc exists and is Bound (with access-mode warning support). When run without --dry-run, the command currently exits with code 6 to explicitly signal staging is not implemented until PR-b; comprehensive tests pin exit codes and key error paths.

^{Reviewed by Cursor Bugbot for commit b1419f2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[LukasWodka]

👋 Heads-up — Code review queue is at 17 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• averaging-service#87 — chore(ci): add pytest suite and CI workflow · author: @aptracebloc · reviewer: @saadqbal
• client-runtime#36 — Bump requests from 2.32.3 to 2.33.0 in /Node-deploy · author: @dependabot · no reviewer assigned
• client-runtime#37 — Bump black from 25.1.0 to 26.3.1 in /Node-deploy · author: @dependabot · no reviewer assigned
• client-runtime#38 — Bump requests from 2.32.3 to 2.33.0 · author: @dependabot · no reviewer assigned
• client-runtime#39 — Bump black from 25.1.0 to 26.3.1 · author: @dependabot · no reviewer assigned
• data-ingestors#108 — Copy tokenizer.json to training pod for MLM datasets · author: @shujaatTracebloc · reviewer: @saadqbal
• design-system#19 — fix: un-track coverage/ and node_modules/ from git · author: @LukasWodka · no reviewer assigned
• docs#3 — Block bots from crawling Mintlify static assets · author: @LukasWodka · reviewer: @saadqbal
• model-zoo#74 — Add 9 MLM model variants and remove warmstart · author: @shujaatTracebloc · reviewer: @divyasinghds
• model-zoo#75 — feat: add Jan 2026 trending models across all 9 task families · author: @divyasinghds · no reviewer assigned

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9915866. Configure here.}