fix(skills): remove invalid OpenCode/Codex agent guidance (#825)

[hypnwtykvmpr]

Summary

Closes #825. The installed OpenCode SKILL.md instructed subagent_type="general-purpose" — an agent type OpenCode does not support — and blocked large-corpus runs on an interactive subfolder prompt. A cross-skill audit (.AUDIT/825-cross-skill-check.py) confirmed the Codex skill had the identical logical bug: it dispatches via spawn_agent(agent_type="worker", ...) but still told users to "re-run with general-purpose agent" on failure — impossible to follow.

This PR fixes both, makes large-corpus handling deterministic, normalizes returned-agent JSON to per-chunk files, and adds a Python validation boundary so untrusted agent payloads can't exhaust disk/memory or escape the chunk directory.

Changes (latest commit, c720f1a)

Skill text (graphify/skill-opencode.md, graphify/skill-codex.md)

• Large-corpus warns-and-continues instead of blocking for subfolder selection.
• Recovery text uses platform-native dispatch (@mention for OpenCode, spawn_agent for Codex); removed all Claude subagent_type="general-purpose" / Explore type / "general-purpose agent" guidance.
• Replaced Claude-specific "MUST use the Agent tool" / "After each Agent call completes" template wording with platform-neutral phrasing pointing at each skill's Step B2.
• 50%-or-more failure threshold is now explicit; recovery advice points at --max-concurrency 1 (a real CLI flag).
• Chunk index NN is derived from the dispatcher, never from agent output (path-traversal safety).

Python enforcement boundary (graphify/semantic_cleanup.py)

• New validate_semantic_fragment(fragment) -> list[str]: ≤ 25 MB payload, ≤ 10,000 nodes, ≤ 100,000 edges, ASCII-only IDs with no path separators (/, \, ..), file_type whitelist (code|document|paper|image).
• New load_validated_semantic_fragment(path) -> tuple[dict | None, list[str]]: stat().st_size guard runs before read_text() / json.loads(), so oversize chunk files are rejected without allocation. JSON decode errors return as errors instead of raising.
• Both skill merge snippets now go through the new loader.

Tests

• 7 new install + source regressions in tests/test_install.py covering OpenCode and Codex (agent-type ban, non-interactive large-corpus, returned-JSON normalization, platform-neutral dispatch language).
• 10 new tests in tests/test_semantic_cleanup.py (validation + load helper: valid, non-object, oversize, too-many-nodes, too-many-edges, path-traversal ID, invalid file_type, oversize-before-parse, invalid-JSON-no-raise, valid-load).
• CHANGELOG.md entry under ## Unreleased.

Audit artifact

.AUDIT/825-cross-skill-check.py reads each graphify/skill-*.md and treats platform-override blockquotes as the authoritative dispatch contract. After this PR it exits 0. skill-droid.md and skill-trae.md remain NEEDS-EXTERNAL-VERIFICATION (their Task-tool variants need platform-runtime contract confirmation) and are deliberately out of scope; skill-copilot.md warrants a separate investigation issue because it has no platform-override block.

Validation

• .venv/bin/python -m pytest -p no:cacheprovider → 2180 passed in 15 s
• .venv/bin/python .AUDIT/825-cross-skill-check.py → exit 0
• rg -n "general-purpose|subagent_type|Explore type|MUST use the Agent tool here|After each Agent call completes|ask which subfolder to run on|wait for the user's answer before proceeding" graphify/skill-opencode.md graphify/skill-codex.md → no matches
• graphify install --platform codex against the new template → installed SKILL.md verified clean by the same extended grep
• graphify update . --force → graph regenerated (7443 nodes, 12057 edges, 546 communities)
• git apply --check was the verification gate during the runbook revision pass

Previously included work (12 prior fork commits on this branch)

The branch also carries 12 fork commits that this PR's #825 fix depends on (notably graphify/semantic_cleanup.py was introduced earlier in this stack and this PR extends it). Brief summary, newest first:

• fix: restore local graphify fixes after upstream sync
• feat: callflow HTML offline-ready (vendored Mermaid 11.14.0 with SRI fallback)
• fix: graph path / parser hardening
• test: hollow response expectations after upstream rebase
• ci: install action test dependencies
• fix: graph rebuild validation and manifest handling
• test: escape elixir interpolation fixture
• fix: pypdf for PDF image extraction
• feat: upstream issue rollup — wiki links, rationale guard, offline viz, PPTX/PDF, GitHub Action, corpus docs
• fix: security hardening (9 findings from systematic review) — introduces graphify/semantic_cleanup.py
• feat: bash shell script extraction + ForgeCode install platform support
• Rollup: deterministic extraction, deduplication hardening, portability, expanded test coverage

If preferred, the prior commits can be split into a separate PR — but a direct cherry-pick of the #825 commit onto upstream/v7 will fail because semantic_cleanup.py doesn't exist there yet.