Resolve plain skill names from registry during install

[JAORMX]

Summary

• thv skill install <name> previously created a dead-end "pending" DB record when a plain name wasn't found in the local OCI store. This made the command silently fail for users who expected registry-based resolution.
• Now the install command queries the configured skill registry/index for an exact name match and, if found, extracts the OCI reference and installs from it. If nothing resolves, a 404 with an actionable error message is returned instead of a silent pending record.

This is Phase 2 of #4015. The resolution cascade is now:

1. Local OCI store (from thv skill build)
2. Registry/index lookup (new)
3. Actionable 404 error (replaces silent pending record)

Relates to #4015

Type of change

• New feature

Test plan

• Unit tests (task test)
• Linting (task lint-fix)

Changes

File	Change
pkg/skills/skillsvc/skillsvc.go	Add SkillLookup interface and WithSkillLookup option; implement resolveFromRegistry method; replace installPending fallback with registry lookup cascade; fix lock management to prevent deadlock
pkg/api/server.go	Wire registry provider as WithSkillLookup via buildSkillLookupOption helper; rename local variable to avoid import shadow
pkg/skills/skillsvc/skillsvc_test.go	Update tests that expected pending fallback to expect 404; fix TestConcurrentInstallAndUninstall to exercise install critical section; add TestInstallFromRegistry with 9 subtests covering happy path, ambiguity, no OCI package, error degradation, case-insensitive matching, and supply-chain validation

Does this introduce a user-facing change?

Yes. thv skill install <name> now resolves plain skill names from the configured registry instead of creating a non-functional pending record. If the skill is not found anywhere, users get an actionable error message suggesting the OCI reference syntax.

Special notes for reviewers

• Lock management: The per-skill lock is released before entering the registry lookup path because installFromOCI acquires its own lock on the artifact's skill name (which could be the same key). Go's sync.Mutex is not re-entrant, so holding both would deadlock. The TOCTOU window is safe because installWithExtraction performs idempotent checks (same digest = no-op, different digest = upgrade).
• installPending removed: The function and its callers are removed. The InstallStatusPending constant is retained for existing DB records.
• Security hardening: Registry-returned data in error messages is truncated (identifiers capped at 256 chars, ambiguity candidates capped at 5). An audit log at INFO level records registry-resolved OCI references.
• Graceful degradation: Registry lookup errors are logged at WARN and fall through to the not-found error, so a registry outage never blocks installation by explicit OCI reference.

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 76.74419% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.14%. Comparing base (949ae42) to head (43b375f).

Files with missing lines	Patch %	Lines
pkg/api/server.go	0.00%	15 Missing ⚠️
pkg/skills/skillsvc/skillsvc.go	92.95%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4200      +/-   ##
==========================================
+ Coverage   69.07%   69.14%   +0.06%     
==========================================
  Files         477      477              
  Lines       48074    48135      +61     
==========================================
+ Hits        33207    33282      +75     
+ Misses      12284    12268      -16     
- Partials     2583     2585       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[amirejaz]

One inline note on buildSkillLookupOption.

[amirejaz]

LGTM, added a couple of nits

[aponcedeleonch]

LGTM

[jhrozek]

LGTM — solid implementation with good test coverage and security defenses (supply-chain name matching, OCI identifier truncation, ambiguity detection). Just two minor nits below.

Nit (not in diff): The doc comment on Install (line 195) still says "Without LayerData, a pending record is created" but the pending path was removed in this PR. Consider updating to describe the current resolution chain: OCI reference → local store → registry → 404.

🤖 Generated with Claude Code

[jhrozek]

Nit: when SearchSkills returns an error (network failure, auth error, server 500), the error is logged at WARN but converted to (nil, nil), making it indistinguishable from "no match found." The user sees "skill not found in local store or registry" with no indication that the registry was actually unreachable.

The s.skillLookup == nil check at line 608 already handles the "no registry configured" case, so a non-nil lookup returning an error is a genuine problem worth surfacing. Consider either returning the error to the caller or including a hint in the not-found message that the registry lookup failed.