[DRAFT] Implement skills profile override layer

[simple-agent-manager]

Do not merge

Draft PR for idea 01KT05WE0HRQMKTRK5ZM3ZPKB8. This implements Skills as a first-class profile override layer and must not be merged to production without explicit follow-up approval.

Summary

• Adds additive D1 migrations and Drizzle schema for skills, skill runtime env vars/files, and task/trigger skill metadata.
• Adds skills CRUD/runtime API routes guarded by owned-project checks, with secret runtime env/file encryption mirroring profile runtime assets.
• Adds shared skill/profile resolver and wires skill resolution/persistence through user task submit, trigger submit, SAM dispatch_task, MCP dispatch_task, retry_subtask, and workspace runtime asset injection.
• Adds Skills navigation/page/form/runtime UI and selectors in chat composer and task submit form.
• Adds API/service tests plus Playwright UI audits for Skills and chat composer selector behavior.

Validation

• pnpm lint
• pnpm typecheck
• pnpm test
• Additional validation run:
  • pnpm build
  • pnpm quality:migration-safety
  • pnpm quality:file-sizes
  • pnpm --filter @simple-agent-manager/api test -- tests/unit/skill-submit-paths.test.ts
  • pnpm --filter @simple-agent-manager/web exec playwright test tests/playwright/skills-ui-audit.spec.ts
  • pnpm --filter @simple-agent-manager/web exec playwright test tests/playwright/project-chat-composer-audit.spec.ts

Staging Verification (REQUIRED for all code changes - merge-blocking)

• Staging deployment green - Not run: draft/do-not-merge PR, local and CI validation only for this handoff.
• Live app verified via Playwright - Not run: draft/do-not-merge PR, local Playwright visual audits completed.
• Existing workflows confirmed working - Not run on staging; local tests and mocked UI audits completed.
• New feature/fix verified on staging - Not run: draft/do-not-merge PR.
• Infrastructure verification completed - N/A: no infrastructure paths changed.
• Mobile and desktop verification notes added for UI changes

Staging Verification Evidence

Not run: this PR is intentionally draft/do-not-merge per task instructions. Local validation and CI were completed before handoff. Staging verification remains required before any future merge/readiness conversion.

UI Compliance Checklist (Required for UI changes)

• Mobile-first layout verified
• Accessibility checks completed
• Shared UI components used or exception documented
• Playwright visual audit run locally - mock data scenarios tested at mobile and desktop; screenshots in .codex/tmp/playwright-screenshots/.

End-to-End Verification (Required for multi-component changes)

• Data flow traced from user input to final outcome with code path citations
• Capability test exercises the complete happy path across system boundaries
• All spec/doc assumptions about existing behavior verified against code
• If any gap exists between automated test coverage and full E2E, manual verification steps documented below

Data Flow Trace

User task submit: ProjectChatComposer / TaskSubmitForm pass skillId to apps/api/src/routes/tasks/submit.ts, which resolves via apps/api/src/services/skills.ts:resolveSkillProfile, merges runtime assets in apps/api/src/services/profile-runtime-assets.ts, persists tasks.skill_id / tasks.skill_hint, and dispatches workspace runtime requirements.

Trigger submit: apps/api/src/services/trigger-submit.ts reads trigger skill metadata, resolves skill/profile/project layers, persists task skill metadata, and dispatches with merged runtime env/files.

MCP/SAM dispatch: apps/api/src/durable-objects/sam-session/tools/dispatch-task.ts and apps/api/src/routes/mcp/dispatch-tool.ts accept optional skillId, resolve the same merged config, and persist the skill metadata.

Retry subtask: apps/api/src/durable-objects/sam-session/tools/retry-subtask.ts carries the original task skill fields into the retried task and reuses resolved task settings.

Untested Gaps

Full live staging verification was not run because this is a draft/do-not-merge PR. Automated local coverage includes API CRUD/runtime routes, resolver precedence, runtime env encryption, submit path source-contract coverage, trigger submit propagation, full pnpm test, and local Playwright UI audits.

Post-Mortem (Required for bug fix PRs)

N/A: feature implementation, not a production bug fix.

Specialist Review Evidence (Required for agent-authored PRs)

• All dispatched reviewers completed and findings addressed before merge
• If any reviewer did NOT complete: needs-human-review label added and merge deferred to human

Reviewer	Status	Outcome
security-auditor	PASS	No critical/high findings. Skill runtime secrets use the existing profile encryption/masking pattern and owned-project guards.
cloudflare-specialist	PASS	Additive D1 migration only; runtime tables and task/trigger skill columns use expected FK behavior and migration safety passed.
ui-ux-specialist	PASS	Skills list/form/selectors audited at mobile and desktop with local Playwright visual tests.
task-completion-validator	PASS	Deliverables mapped to migrations, API routes, resolver/dispatch integration, UI, and focused/full validation.

Exceptions (If any)

• Scope: Staging verification was not performed.
• Rationale: User explicitly requested a draft/do-not-merge PR and local/CI validation, then stop.
• Expiration: Must be completed before converting the PR out of draft or merging.

Agent Preflight (Required)

• Preflight completed before code changes

Classification

• external-api-change
• cross-component-change
• business-logic-change
• public-surface-change
• docs-sync-change
• security-sensitive-change
• ui-change
• infra-change

External References

N/A: implementation used repo-local product ideas, existing profile/runtime route patterns, schema conventions, and test patterns; no external API contract or third-party documentation was needed.

Codebase Impact Analysis

Affected paths include apps/api migrations/schema/routes/services/DO tools for skills and dispatch integration, apps/web Skills navigation/list/form/selectors and chat/task submit wiring, and packages/shared skill/resource/trigger types. The change crosses D1 persistence, API validation/auth, runtime asset encryption/merging, task dispatch paths, and UI.

Documentation & Specs

N/A: no persistent user-facing docs were updated in this draft implementation. The source references are idea 01KT05WE0HRQMKTRK5ZM3ZPKB8 and related idea IDs in the task request; PR evidence documents the implemented behavior and validation.

Constitution & Risk Check

Checked additive migration safety, owned-project authorization, encrypted runtime secret handling, task/trigger skill metadata persistence, and no hardcoded resource defaults beyond existing configurable layer defaults. Key risks were inconsistent submit-path wiring and secret leakage; both are covered by focused tests and reused profile-runtime encryption/masking patterns.

[sonarqubecloud]

Quality Gate failed

Failed conditions
15.4% Duplication on New Code (required ≤ 3%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE