Expose plugin provenance for listed skills

[nm-openai]

Summary

• Adds explicit SkillProvenance plus optional plugin metadata to skills/list so clients can distinguish personal/project/system/admin skills from marketplace/local/debug/ad-hoc plugin skills.
• Keeps the legacy scope field unchanged as the skill placement/precedence contract.
• Carries plugin interface metadata (display_name, brand_color, composer_icon, logo) from plugin load outcomes into listed skill metadata.
• Adds app-server coverage for installed plugin skills from OpenAI marketplace and custom/local marketplace cache.
• Regenerates v2 protocol schema and TypeScript fixtures.

Scope vs Provenance Logic

• scope continues to mean where the skill participates in existing skill semantics:
  • User maps to legacy Personal UI behavior.
  • Repo maps to project/repo-root UI behavior, such as rendering codex for /Users/nm/code/codex.
  • System maps to built-in system skills.
  • Admin maps to system-config/admin-installed skills.
• Non-plugin skills derive provenance from scope: Personal, Project, System, or Admin.
• Plugin skills keep their existing scope value, usually User, so ordering and compatibility do not change.
• Plugin skills additionally carry plugin metadata and plugin-specific provenance derived from marketplace name:
  • openai-curated and chatgpt-global -> OpenaiMarketplace
  • workspace/shared remote marketplaces -> WorkspaceMarketplace
  • debug -> DebugPlugin
  • local/personal -> LocalPlugin
  • other marketplace names -> CustomMarketplace
• This avoids overloading scope with provenance while giving newer clients enough data to render plugin origin, icon fallback, and brand color.

Compatibility

• New app-server + old Codex app UI: compatible. The added response fields are ignored by older UI clients.
• Old app-server + new Codex app UI: compatible. The UI falls back to the existing scope-based labels and existing icon behavior when provenance/plugin are absent.
• Mixed deploys preserve the old scope enum and behavior; plugin skills are not sent as new scope values.

Paired PR

Paired Codex app UI PR: openai/openai#911245. The UI PR consumes the new fields to render provenance labels, plugin icon fallback, and plugin brand-color highlighting. These should merge together, with this app-server PR providing the protocol/payload shape.

Test Plan

• just write-app-server-schema
• cargo test -p codex-app-server-protocol
  • 207 tests passed
• cargo test -p codex-app-server skills_list
  • 8 tests passed
• just fix -p codex-app-server -p codex-app-server-protocol -p codex-core-plugins -p codex-plugin

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}