feat(tasks): bundle local skills into sha256-verified zip artifacts

[tatoalo]

Problem

for cloud tasks, local skill invocations only sent the slash command text. User-local and repo-local skills were available in the local editor but not in the cloud sandbox

Changes

• let's bundle uploadable local skills into zip artifacts with SHA-256 metadata and send them through the existing cloud artifact upload flow.

• install skill_bundle artifacts in the agent server before prompt delivery, inject the bundled skill instructions for the invoked turn, and suppress the raw slash command from the model-facing prompt so local skills behave like actual skills rather than unsupported commands

• refresh slash command metadata when a follow-up command is submitted, so newly created local skills can be selected and invoked without starting a brand-new task.

closes #2260

[tatoalo]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat(tasks): surface local skills in the composer and upload on send #2926
• feat(tasks): route local skill tags through the cloud prompt pipeline #2925
• feat(tasks): install and apply skill bundle artifacts in the sandbox #2924
• feat(tasks): bundle local skills into sha256-verified zip artifacts #2923 👈 (View in Graphite)
• feat(tasks): add skill bundle artifact contracts and metadata types #2922
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

React Doctor found no issues in the changed files. 🎉

_{Reviewed by React Doctor for commit e8dec75.}

[greptile-apps]

_{Reviews (1): Last reviewed commit: "feat(tasks): bundle local skills into sh..." | Re-trigger Greptile}

[greptile-apps]

Security Review

• Arbitrary filesystem read via unguarded skillPath (packages/workspace-server/src/services/skills/skills.ts): The new bundleLocalSkill method omits the resolveKnownSkillDir check that every other skill-path consumer in the file applies. This check is the documented defense against turning the endpoint into an arbitrary filesystem read. Any caller who can reach the tRPC port can provide any path that contains a SKILL.md and receive the full directory contents as a base64-encoded zip.

_{Reviews (2): Last reviewed commit: "feat(tasks): bundle local skills into sh..." | Re-trigger Greptile}

[greptile-apps]

Missing resolveKnownSkillDir guard allows arbitrary filesystem bundling

Every other method that accepts a skillPath — getSkillContents, readSkillFile, saveSkillManifest, etc. — first passes it through resolveKnownSkillDir (or resolveWritableSkillDir), which validates that the path sits under a known skill root. That guard's own comment says "This keeps the contents/readFile endpoints from becoming arbitrary-filesystem reads." bundleLocalSkill skips that guard entirely, so any caller can provide an arbitrary path (e.g. ~/.ssh) containing a SKILL.md and receive the full directory base64-encoded in the response. The fix is to call resolveKnownSkillDir on input.path before forwarding it to the bundler.

Rule Used: When implementing new features, ensure that owners... (source)

Learned From
PostHog/posthog#31236