OCI Skills Library: Reproducible packager

[JAORMX]

Description

Implement the reproducible OCI artifact packager in toolhive-core's oci/skills/ package. Creates deterministic OCI artifacts from skill directories (SKILL.md + supporting files), enabling anyone to rebuild and verify the same digest.

Context

Part of the Skills Lifecycle Management epic. Implements the SkillPackager interface defined in TASK-002 (#14). Ports from Skillet's internal/infrastructure/packager/ and internal/infrastructure/reproducible/.

Dependencies: #14
Blocks: Skill service implementation (in stacklok/toolhive)

Acceptance Criteria

• oci/skills/packager.go implements the SkillPackager interface
• Reads skill directory, creates OCI config blob with skill metadata in labels
• Creates content layer as tar.gz of skill directory
• Builds multi-platform image index (default: linux/amd64, linux/arm64)
• oci/skills/tar.go — deterministic tar: sorted entries, normalized timestamps via SOURCE_DATE_EPOCH, UID/GID=0
• oci/skills/gzip.go — deterministic gzip: fixed compression level, no variable headers
• Same content always produces identical digest (reproducible)
• Uses dev.toolhive.skills.* annotations and labels from media types
• Security: rejects symlinks, path traversal, device entries in skill directories
• All tests pass with t.Parallel(), SPDX headers present

Technical Approach

Port from Skillet internal/infrastructure/packager/ and internal/infrastructure/reproducible/.

Code Pointers

• Skillet internal/infrastructure/packager/packager.go — packager implementation
• Skillet internal/infrastructure/reproducible/tar.go — deterministic tar
• Skillet internal/infrastructure/reproducible/gzip.go — deterministic gzip
• TASK-002 oci/skills/interfaces.go — SkillPackager interface

References

• Epic: stacklok/stacklok-epics#239
• TASK-002: OCI Skills Library: Media types, store, and platform types #14