feat(cli): add inventory subcommand to enumerate KB-known AI artifacts

[jonathansantilli]

Summary

New codegate-ai inventory subcommand that walks every tool entry in the knowledge base, resolves config_paths and skill_paths against \$HOME / workspace root(s), and emits the result as either a human table or machine-readable JSON.

Why

Downstream tooling (IDE extensions, CI agents, dashboards) has been maintaining its own hard-coded lists of "places to look for AI skills / configs" because the KB wasn't queryable. Every time the KB adds a new tool or a new path (like this week's Anthropic Skills entry in #49), those downstream lists silently go stale.

This exposes the KB as structured data so every consumer can read it instead of duplicating it.

Usage

```
codegate inventory [options]

--scope <user|project|all> scope filter (default: all)
--kind <skills|configs|all> artifact kind filter (default: all)
--only-existing filter to paths that exist on disk
--workspace project-scope root (repeatable; defaults to cwd)
--format <text|json> output format (default: text)
```

Example output (JSON)

```json
{
"kb_version": "1.0.0",
"tools": [{ "name": "claude-code", "version_range": ">=1.0.0" }, …],
"items": [
{
"tool": "claude-code",
"kind": "skill",
"type": "anthropic_skill",
"scope": "user",
"pattern": ".claude/skills/*/SKILL.md",
"path": "/Users/alice/.claude/skills/foo/SKILL.md",
"exists": true,
"risk_surface": ["prompt_injection", "unicode_backdoor", "command_exec", "mcp_config"],
"resolved_against": "/Users/alice"
},
…
]
}
```

Consumer use cases

Consumer	Filter
IDE extension listing installed skills	`--kind skills --scope user --only-existing --format json`
Dashboard "host inventory" view	full dump, render table
Compliance/auditor	`--scope all` dump documenting what CodeGate watches
"Does this file fall under any KB entry?" tooling	match `path` against results
Plugin/SDK authors	read `tools[]` to discover supported ecosystems

Implementation notes

• Reuses `loadKnowledgeBase()` from `layer1-discovery/knowledge-base`; no duplicate KB parsing.
• Wildcard expansion (`*`, `**`, `?`) is inlined in the command file rather than reaching into `scan.ts`'s private helpers — keeps the command self-contained and avoids widening the scanner's export surface.
• Refuses to follow symlinks during wildcard expansion (parity with the existing scanner).
• Deterministic ordering (tool → kind → scope → path) so output is stable across runs.
• Depth- and count-limited walks (`MAX_WILDCARD_DEPTH = 8`, `MAX_WILDCARD_MATCHES = 2000`) to keep it bounded on large homedirs.

Tests

• `tests/commands/inventory-command.test.ts` — 8 unit tests covering filters, scope resolution, `--only-existing`, wildcard expansion against a seeded temp `$HOME`, empty-workspace edge case, ordering.
• `tests/cli/inventory-command.test.ts` — 3 integration tests via `createCli()` + `parseAsync()`: JSON output, `--only-existing --kind skills` end-to-end, text-format rendering.

Test plan

• `npm run typecheck`
• `npm test` — 694/694 passing (11 new)
• `npm run lint`
• `npx prettier --check` on touched files
• `npm run build` + manual smoke: `node dist/cli.js inventory --format json --scope user --kind skills` returns structured output
• `node dist/cli.js inventory --help` renders correctly

Follow-up (separate PRs)

• Mobb's tracer_ext VS Code extension will switch from a hard-coded `SKILL_ROOTS` constant to calling this subcommand.
• The mobbdev CLI's new `scan-my-skills` wrapper will do the same.
• Mintlify docs page.