Skill installer and extractor

[JAORMX]

Description

Implement the skill installer that extracts OCI artifact layers to the appropriate client skill directory. Handles managed vs unmanaged detection, overwrite protection, and security validation (path traversal, symlinks).

Context

Part of the Skills Lifecycle Management epic. Uses the OCI store from toolhive-core (TASK-002), client paths from TASK-006, and state management from TASK-007.

Dependencies: stacklok/toolhive-core#14, #3647, #3648
Blocks: Skill service implementation

Acceptance Criteria

• pkg/skills/installer.go extracts OCI layer tar.gz to client skill directory
• Resolves target directory using client metadata skill paths (from TASK-006)
• Detects existing skills: managed (has .thv-skill.json) vs unmanaged
• Overwrite protection: refuses to overwrite unmanaged skills unless --force
• Upgrade detection: same digest = unchanged, different digest = upgraded
• Creates .thv-skill.json metadata file on install
• Updates skill index on install/uninstall
• Clean removal: removes skill directory + metadata on uninstall
• Security: validates tar entries for path traversal (../), symlinks, absolute paths, device entries
• Size limits: max 100MB per file, 500MB total extraction
• All tests pass, SPDX headers present

Code Pointers

• pkg/skills/types.go — domain types (from TASK-001)

References

• OCI Skills Library: Media types, store, and platform types toolhive-core#14, Client metadata extension for skills #3647, Skill state management #3648