Add skill installer and extractor for OCI artifact extraction

[JAORMX]

Closes #3649

Why

This is the critical-path task for the Skills Lifecycle Management epic — all remaining skill tasks are blocked on having an installer that can extract OCI artifact content to disk and clean up on uninstall.

Today, Install() only creates a pending DB record and Uninstall() only deletes it. Neither touches the filesystem.

What

Filesystem operations (pkg/skills/installer.go):

• Extract() decompresses tar.gz OCI layers to client skill directories with size limits (500MB total, 100MB/file, 1000 files max) and permission sanitization (setuid/setgid stripped, capped at 0644)
• Remove() safely deletes skill directories with guards against dangerous paths
• Security follows skillet's defense-in-depth pattern: pre-extraction symlink validation of target path, pre-write containment check per file, post-extraction filesystem walk

Service layer (pkg/skills/skillsvc/):

• Install() now handles managed/unmanaged detection (same digest = no-op, different digest = upgrade, unmanaged dir on disk = refuse unless --force)
• Uninstall() removes files for all clients before deleting the DB record
• Functional options pattern (WithPathResolver) keeps the service extensible for Skill service implementation #3650 (OCI store/registry)

Wiring:

• PathResolver interface in pkg/skills/ avoids the pkg/skills ↔ pkg/client import cycle
• clientPathAdapter in pkg/api/server.go bridges *client.ClientManager to PathResolver
• LayerData/Reference/Digest are internal-only fields (json:"-") — not exposed via HTTP API. The API path still creates pending records; extraction is only reachable from internal code (OCI pull in Skill service implementation #3650)

Large PR Justification

This touched the API so the swagger occupies some space.

🤖 Generated with Claude Code

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 66.95652% with 76 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.72%. Comparing base (c0924fd) to head (d5e3fd9).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/skills/installer.go	57.44%	24 Missing and 16 partials ⚠️
pkg/skills/skillsvc/skillsvc.go	80.67%	17 Missing and 6 partials ⚠️
pkg/api/server.go	0.00%	13 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #3835    +/-   ##
========================================
  Coverage   66.71%   66.72%            
========================================
  Files         443      444     +1     
  Lines       43847    44060   +213     
========================================
+ Hits        29254    29398   +144     
- Misses      12306    12355    +49     
- Partials     2287     2307    +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Addressed