Epic: implement profile/VM skill manager

[ebursztein]

Summary

Implement a first-class skill manager for Capsem. Skills should become a profile-owned capability with VM-specific runtime state, not loose files or UI theater. Users and admins need to add, remove, enable, disable, inspect, and search skills through the same profile/VM contract used by rules, MCP, plugins, assets, and credentials.

Why

Capsem profiles are the ledger for what a VM is allowed to run and expose. Skills are becoming a real user-facing surface, so they need the same discipline:

• profile owns configured/default skills
• VM can have runtime/additional skills when allowed
• corp can constrain what profiles/VMs may use
• UI/TUI/API reflect the contract instead of inventing labels or states
• security/event telemetry records skill use and changes
• users can discover skills from approved skill repositories

Required capabilities

• Profile skill management:

  • list skills configured for a profile
  • enable/disable skills per profile
  • add/remove skills per profile
  • validate profile skill files/hashes during profile check
  • expose profile skill status through profile routes

• VM skill management:

  • list effective skills for a VM
  • allow VM-specific skill additions when profile/corp policy permits
  • enable/disable/delete VM-local skills
  • report skill readiness and failures without DB reads on hot status paths

• UI/TUI:

  • profile settings page exposes skills as a first-class section
  • VM page exposes effective skills and VM-local overrides
  • use toggles/selects for typed state, not free-form magic
  • no invented display names/descriptions/icons; reflect skill metadata

• Telemetry and ledger:

  • record skill loaded/used/failed events in the security/event rail
  • report global and per-VM counters
  • expose skill activity in VM stats and debug bundles
  • record mutations with rule/profile/VM context for forensics

• Skill repository interface:

  • support configured skill repositories
  • search/list available skills
  • install/update from an approved repo
  • expose source, version, hash, and metadata
  • corp can restrict repositories and skills

Acceptance criteria

• Skills are represented by typed/profile-backed data, not ad hoc paths.
• Profile validation fails if a declared skill payload is missing, malformed, or hash-mismatched.
• VM skill routes are profile-aware and do not use global shortcut state.
• UI and TUI can enable/disable/add/delete skills through routes.
• Global and per-VM telemetry show skill use and errors.
• Debug output includes skill inventory, source, version/hash, enabled state, and recent failures.
• Skill repository search works against at least one local/hermetic test repository.
• Tests cover profile-only skills, VM-local skills, corp-denied skills, malformed skill metadata, hash mismatch, and telemetry emission.

Notes

This is an epic, not a small patch. It should follow the same architecture contract as plugins/MCP/rules: profile first, VM effective state second, corp constraints above both, and no compatibility/fallback path that lets loose files bypass validation.