fix(compat): enforce anonymous installability rules

[dongmucat]

概述

Enforce the anonymous CLI installability contract consistently across search, resolve, and download for ISSUE-39.

变更内容

后端实现

• Added AnonymousSkillInstallabilityPolicy for the anonymous public install target rule: active namespace, active/non-hidden/public skill, and published/download-ready/non-yanked version.
• Filtered anonymous search results unless the skill latest version is installable under that policy.
• Gated anonymous resolve before fingerprint/file work and anonymous download before storage lookup, preserving existing fallback bundle behavior for ready published versions.
• Validated compatibility download redirects through the same resolve path before returning a Location.

前端实现

• No frontend changes.

测试覆盖

• 后端单测: AnonymousSkillInstallabilityPolicyTest, SkillSearchAppServiceTest, SkillQueryServiceTest, SkillDownloadServiceTest cover the positive public installable case and negative cases for archived/hidden/private/unpublished/no latest/not ready/yanked versions.
• 前端单测: not applicable; no frontend source changed.
• E2E 测试: not applicable; no frontend UI changed.

质量门禁

• make test-backend-app passed
• make typecheck-web passed
• make lint-web passed
• make generate-api not required; no Controller/API contract change
• make staging attempted twice and blocked by Docker registry TLS failure while resolving eclipse-temurin:21-jre-alpine from registry-1.docker.io

安全考虑

• Tightens anonymous install access so public CLI install paths no longer expose hidden/private/non-ready/yanked targets.
• No secrets, token handling, or authentication behavior changed for publish/delete/whoami.

相关 Issue

Closes ISSUE-39

测试说明

本地验证步骤

1. Run make test-backend-app and expect the backend reactor to pass.
2. Run make typecheck-web and make lint-web to verify unchanged frontend checks.
3. Retry make staging once Docker registry TLS resolution is healthy.

回归测试范围

• Anonymous /api/v1/search should only include skills whose latest version is installable.
• Anonymous /api/v1/resolve and /api/v1/download should reject non-installable public targets before file/storage fallback work.
• Ready published versions should still download via existing bundle or fallback bundle behavior.

截图/录屏（如有 UI 变更）

No UI changes.

[dongmucat]

Technical review requested for ISSUE-39.

Focus areas:

• Anonymous installability policy boundary and reuse across search, resolve, and download.
• Anonymous search filtering based on latest version downloadReady/published/yanked state.
• Download path preserving fallback bundle behavior for ready published versions while rejecting downloadReady=false before storage lookup.

Verification completed:

• make test-backend-app passed.
• make typecheck-web passed.
• make lint-web passed.

make staging was attempted twice but is blocked in this environment by Docker registry TLS certificate mismatch while resolving eclipse-temurin:21-jre-alpine from registry-1.docker.io.

[dongmucat]

Closing as superseded by replacement PR #523 for ISSUE-36. Keeping branch intact; no merge to main.