fix(ops): harden local runtime production defaults

[Davidobot]

Summary

• Updates AGENTS/CONTRIBUTING plus CI and release wheel smoke checks for the new base runtime: ONNX Runtime / transformers / sentence-transformers / PyYAML are required install metadata, while import lodedb must keep embedding runtimes lazy.
• Makes private-network lodedb serve an explicit trusted-LAN support mode without allowing public or all-interface binds, and updates the WAL-default docs/help/comments to match the runtime default.
• Moves engine progress diagnostics from stdout print() calls to the lodedb.engine logger and removes the benchmark stdout-redirect workaround, keeping CLI JSON and MCP stdio clean by default.
• Hardens ONNX artifact materialization with a per-model cache lock, manifest-backed cache validation, atomic file publication, and a bounded Optimum export subprocess timeout. Cache hits use file stat metadata by default to avoid re-reading large ONNX files; set LODEDB_ONNX_CACHE_VERIFY=1 for explicit sha256 verification.
• Fixes KnowledgeGraph.add_nodes / add_edges bulk replacement so removing label/fact/embedding also clears the stale derived semantic index docs.

Testing

• uv run ruff check .
• uv run pytest -q — 410 passed, 35 skipped
• uv lock --check
• git diff --check
• ONNX cache-hit performance smoke with a 32 MiB fake model: first publish 47.793 ms; cached-hit median 0.183 ms, max 0.629 ms, one snapshot fetch call.
• GitHub CI for this branch is green: ubuntu, macOS, Windows, and patched-core smoke all pass.