fix(skills): refresh snapshots after skill exposure config changes

[DevInvestor]

Summary

• add a redacted skill snapshot config fingerprint so persisted skillsSnapshot entries refresh after skill exposure config changes, including skills.load.extraDirs
• persist the fingerprint on built skill snapshots and compare it in auto-reply/session update and agent-command paths
• add regression coverage for Tom/HQ-style shared skill exposure where xurl is local but x-post-analysis appears only via shared config

Context

This is Lane A for GB-P12-W4 x-post-analysis deterministic workflow. It fixes the runtime side of the incident where Tom's persistent session had xurl but not x-post-analysis, so it could not load the built X-post workflow.

Real behavior proof

• Behavior or issue addressed: persisted agent skillsSnapshot entries now refresh when the runtime skill exposure config changes, including skills.load.extraDirs, instead of keeping a stale snapshot that has xurl but not x-post-analysis.
• Real environment tested: Clawdbot-1 Ubuntu OpenClaw checkout at /root/clawd/.worktrees/dan-xpost-snapshot-runtime, Node v22.22.2, using real local skill directories and /root/clawd/skills/x-post-analysis/SKILL.md as the shared skill exposed through skills.load.extraDirs.
• Exact steps or command run after this patch:

  cd /root/clawd/.worktrees/dan-xpost-snapshot-runtime
  node --import tsx ./.tmp-xpost-real-behavior-proof.ts

• Evidence after fix: terminal output from the real OpenClaw checkout:

  {
    "setup": {
      "workspace": "/tmp/openclaw-xpost-proof-eaZ0Io/workspace",
      "managedSkillsDir": "/tmp/openclaw-xpost-proof-eaZ0Io/managed-skills",
      "bundledSkillsDir": "/tmp/openclaw-xpost-proof-eaZ0Io/bundled-skills-empty",
      "sharedSkillsExtraDir": "/root/clawd/skills",
      "agentId": "tom",
      "skillFilter": ["xurl", "x-post-analysis"]
    },
    "before": {
      "extraDirs": [],
      "skills": ["browser-automation", "xurl"],
      "hasXurl": true,
      "hasXPost": false,
      "configFingerprint": "de6316be2f21..."
    },
    "after": {
      "extraDirs": ["/root/clawd/skills"],
      "skills": ["brave-search", "browser-automation", "coding-agent", "elevenlabs-voices", "github", "notion", "phone-agent", "planning-with-files", "video-transcript-downloader", "weather", "x-post-analysis", "xurl"],
      "hasXurl": true,
      "hasXPost": true,
      "xpostResolved": "/root/clawd/skills/x-post-analysis/SKILL.md",
      "configFingerprint": "3f0f7ab04b1c..."
    },
    "fingerprintChanged": true
  }

• Observed result after fix: after adding /root/clawd/skills to skills.load.extraDirs, the real snapshot builder exposes x-post-analysis and records a changed redacted configFingerprint, which is the persisted signal used by the patch to refresh stale skillsSnapshot data.
• What was not tested: no live gateway restart, no live Tom session mutation, no production config edit, and no deploy in this PR.

Verification

• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/test-projects.mjs --maxWorkers=1 src/agents/skills.buildworkspaceskillsnapshot.test.ts
• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/test-projects.mjs --maxWorkers=1 src/auto-reply/reply/session-updates.test.ts
• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/test-projects.mjs --maxWorkers=1 src/agents/agent-command.live-model-switch.test.ts
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json ...
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json ...
• Riley independent review: APPROVED

Deployment

No live runtime/config/session mutation in this PR. Deployment/config exposure remains separate and must include backups, health checks, Tom hasXPost=true proof, and rollback.

[clawsweeper]

Codex review: needs maintainer review before merge.

Summary
The PR adds a redacted skill snapshot config fingerprint, persists it on skill snapshots, compares it in auto-reply and agent-command paths, and adds regression coverage for skills.load.extraDirs exposure changes.

Reproducibility: yes. At source level, current main builds snapshots from skills.load.extraDirs but persisted snapshots are reused unless version or filter state changes, so a config-only exposure change can leave a stale snapshot.

Real behavior proof
Sufficient (terminal): The PR body now includes terminal output from a real Ubuntu checkout showing the before/after skill exposure and changed fingerprint after adding skills.load.extraDirs.

Next step before merge
No repair lane is needed; the PR appears focused and should proceed through ordinary maintainer and CI review.

Security
Cleared: No concrete security or supply-chain concern found; the diff adds no dependencies or workflows and persists only a SHA-256 fingerprint of redacted config.

Review details

Best possible solution:

Land the narrow fingerprint-based invalidation after normal CI and maintainer checks, keeping live deployment and Tom/HQ config exposure as a separate rollout step.

Do we have a high-confidence way to reproduce the issue?

Yes. At source level, current main builds snapshots from skills.load.extraDirs but persisted snapshots are reused unless version or filter state changes, so a config-only exposure change can leave a stale snapshot.

Is this the best way to solve the issue?

Yes. Persisting and comparing a redacted config fingerprint in both snapshot reuse paths is the narrow maintainable fix, and the helper keeps raw config secrets out of the persisted field.

What I checked:

• Current main refresh condition: Current main refreshes persisted auto-reply skill snapshots for version or skill-filter changes only, while the config fingerprint is only used in the in-memory resolved-skills cache key. (src/auto-reply/reply/session-updates.ts:264, efabae2f9bf0)
• Current main extraDirs source: The snapshot builder already reads skills.load.extraDirs, so config changes can alter the correct snapshot content without changing the snapshot version or filter. (src/agents/skills/workspace.ts:848, efabae2f9bf0)
• Current main agent-command condition: The agent-command path also reuses persisted snapshots unless the snapshot is missing, stale by version, or has a different skill filter. (src/agents/agent-command.ts:649, efabae2f9bf0)
• PR implementation: The PR adds snapshot-fingerprint.ts, stores configFingerprint on snapshots, and compares it before reusing persisted snapshots in both auto-reply and agent-command paths. (src/agents/skills/snapshot-fingerprint.ts:59, 67998033e3ef)
• Regression coverage: The diff adds tests for shared x-post-analysis discovery through skills.load.extraDirs and for refreshing a stale persisted xurl-only snapshot after config-driven exposure changes. (src/auto-reply/reply/session-updates.test.ts:239, 67998033e3ef)
• Real behavior proof: The updated PR body includes copied terminal JSON from a real Ubuntu checkout showing x-post-analysis absent before adding /root/clawd/skills, present after, and a changed redacted config fingerprint; GitHub's Real behavior proof check then completed successfully. (67998033e3ef)

Likely related people:

• steipete: Related PR metadata and local blame tie the recent agent/session runtime and snapshot-cache behavior that this PR extends to steipete/Peter Steinberger. (role: recent area contributor and merger; confidence: high; commits: 8ba0bb2a8a9b, d643cd5a9f08, 628c753f3bff; files: src/auto-reply/reply/session-updates.ts, src/agents/skills/workspace.ts, src/agents/agent-command.ts)
• Josh Avant: Current local history shows recent work on src/agents/agent-command.ts, one of the paths this PR updates, though not the central skill snapshot logic. (role: recent adjacent contributor; confidence: low; commits: 1dac68c0bbe7, 64b94daf92c4; files: src/agents/agent-command.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against efabae2f9bf0.