Fix: document safe gstack skill sync path

[ohld]

Fixes FFM-1676.

Summary

• Document FFmemes policy that direct upstream gstack /skills/import is not the accepted update path while Paperclip rejects executable-script skills with scripts_executables_blocked.
• Keep the operational path on curated catalog validation plus per-agent paperclip_skill_sync.
• Update routine observability/audit logic so future gstack update checks that mention /skills/import or scripts_executables(_blocked) are flagged as degraded instead of closing green.
• Make the repo-local Paperclip CLI wrapper use a repo-owned npm cache for the npx paperclipai fallback, avoiding /paperclip/.npm ownership failures during agent work.

Verification

• pytest -q tests/scripts/test_paperclip_routine_audit.py tests/test_paperclip_cli_wrapper.py tests/test_paperclip_skill_preflight.py -> 19 passed
• .codex/paperclip-tools/paperclipai-ffmemes.sh --version -> 2026.513.0
• ruff check --fix scripts/paperclip_routine_audit.py tests/scripts/test_paperclip_routine_audit.py tests/test_paperclip_cli_wrapper.py tests/test_paperclip_skill_preflight.py && ruff format scripts/paperclip_routine_audit.py tests/scripts/test_paperclip_routine_audit.py tests/test_paperclip_cli_wrapper.py tests/test_paperclip_skill_preflight.py -> passed

Note: the required broad ruff check --fix src/ tests/ is currently blocked by unrelated pre-existing dirty work in src/recommendations/candidates.py (E501 at line 329), so I kept linting scoped to touched Python files.

[ohld]

STAFF ENGINEER REVIEW: CHANGES REQUESTED — two regressions need fixing before merge.

1. agents/_sync_config.py:455-468: --skill-preflight sets DRY_RUN=1 in agents/deploy.sh, so unknown desired skills print an ERROR but main() still returns 0 at if SKILL_PREFLIGHT_ONLY: return 0. That makes the new preflight-only command succeed exactly when the catalog check failed. The maintenance/routine path can close green while desired skills are missing. Make skill-preflight-only fail nonzero on unknown_desired_skills (and strongly consider stale/incompatible skills non-green too), with a regression test for that exact mode.

2. .codex/paperclip-tools/paperclipai-ffmemes.sh:24-25: the wrapper preserves an inherited lowercase npm_config_cache. If the runtime has lowercase npm_config_cache=/paperclip/.npm, npm/npx can still prefer that unwritable cache over the repo-local uppercase value, so the fallback remains broken. Set lowercase from the selected NPM_CONFIG_CACHE instead of preserving stale lowercase env.

Review gates run:

• /review structural pass: changes requested
• /codex review: found the lowercase npm cache regression
• /cso --diff focused pass: no secrets added; supply-chain/preflight gate regression above is the security-sensitive finding

I disabled auto-merge before posting this review.

[ohld]

STAFF ENGINEER REVIEW: APPROVED — Clean on current head 3654fdf. Structural pass found no production-impacting regressions; previous wrapper lowercase-cache issue is fixed by forcing npm_config_cache to the selected repo-local NPM_CONFIG_CACHE. The prior skill-preflight code-path finding is no longer present in the current diff. Codex second opinion passed. Targeted local tests: 30 passed.

[ohld]

✅ Approved + merged.