feat(knowledge): scope-bounded reconcile prune, atomic skill install, 16MiB envd unary cap

[ysyneu]

PR-3 of the knowledge/skills loading-stability series (safari side: flashcatcloud/fc-safari#170 merged, #172 open).

What

1. Scope-bounded reconcile prune — ReconcileKnowledgeManifestArgs gains staged_scopes + valid_scopes. Orphans are pruned only inside scopes this manifest staged; on-disk scopes outside valid_scopes (deleted packs) are pruned whole; scopes valid account-wide but unstaged by this session are left untouched. Fixes the shared-BYOC cross-session prune thrash observed live during #172's over-cap rigor pass (two sessions with different mounted teams evicted each other's files every reconcile). Empty valid_scopes (older Safari, or a zero-pack account) keeps the legacy global prune — both directions of mixed-version fleet are safe, no deploy ordering.

2. Atomic skill install — SyncSkill extracts archive + .checksum into a sibling .installing-* staging dir and swaps via RemoveAll+Rename, serialized by a per-environment mutex; orphaned staging dirs from hard crashes are swept before each install. A corrupt zip no longer destroys the previously installed version (old behavior: RemoveAll first, then extract into the live dir).

3. envd unary cap 8 MiB → 16 MiB — sync_skill zip_data at Safari's MaxSkillZipBytes (10 MiB) is ~13.3 MiB after base64 and could not fit the old frame, so >6 MiB-raw skills were uninstallable on cloud sandboxes. Over-cap bodies now fail with an explicit cap error instead of silent LimitReader truncation surfacing as a cryptic JSON decode failure. Companion safari commit pins the relationship with TestSkillZipFitsEnvdUnaryFrame and adds a cloud-dispatch pre-check.

Verification

• Unit: scoped prune matrix (staged orphan pruned / valid-unstaged kept / invalid scope pruned whole / legacy global on empty scopes / degenerate staged-not-valid), atomic install (corrupt zip → v1 intact + probe still hits + no staging litter), readUnary 14 MiB accept + over-cap explicit reject. Full go test ./... green, go vet clean, gofumpt clean.
• Live (local BYOC runner + safari #172 branch binary, dev account 2451002751131):
  • Fully-staged regime: planted knowledge/team_999999/junk.md (invalid scope) + knowledge/account/orphan-live.md → reconcile kept=7 total_pruned=2 eager_staged=12, both planted files gone, all real files intact.
  • Discriminating over-cap test (cap=1 throwaway safari build, unbound session → staged=account only, valid=all 5 scopes): planted orphan in a valid-but-unstaged team scope survived alongside all 13 team files (total_pruned=1 = the account orphan only). Old global prune would have deleted all 14 — that was the live thrash.

Rollout

• BYOC fleet: picks this up via self-update after the next release tag.
• Cloud sandboxes: the 16 MiB cap lands only after the sandbox image is rebuilt with the new runner — until then >6 MiB-raw skills keep failing on cloud (now with the explicit error once rebuilt). Mention from review: pre-16 MiB images still truncate at 8 MiB.