fix: reject invalid SKILL.md YAML frontmatter

[jlizen]

What does this PR do?

Problem

Symposium parsed SKILL.md frontmatter with a loose line-based parser, so malformed YAML like description: [Critical] ... could pass validation and be installed by hook-managed sync. Agents then rejected the copied skill at startup because they parse the same frontmatter as YAML.

We are also serving some broken frontmatter in symposium/recommendations. That package's CI will now fail due to our tighter validation, and I'll fix it over there (symposium-dev/recommendations#9)

Solution

Parse skill frontmatter as YAML before matching or installing skills, require metadata fields to be strings, and add a sync regression test proving invalid skill frontmatter is skipped instead of copied into .agents/skills.

symposium will warn when it skips loading due to misformatted files. That might not be the right ux choice long-term, but whilst most of our users are people also developing symposium, it's probably good :)

I didn't add a snapshot test since the sync output is not designed to have i/o injected and it would have exploded the diff. Happy to follow up with that if desired.

Here's a manual test though:

 Running `/Users/jess/workplace/symposium/target/debug/cargo-agents sync`
⚠️  skipping /tmp/symposium-home/plugins/bad-skill/SKILL.md: failed to load standalone skill: failed to parse frontmatter in /tmp/symposium-home/plugins/bad-skill/SKILL.md
ℹ️  scanning 2 workspace dependencies
🟢 /private/tmp/symposium-workspace/.codex/hooks.json: hooks already registered
➖ removed skill rust-best-practice from /private/tmp/symposium-workspace/.agents/skills/rust-best-practice
ℹ️  no applicable skills found for workspace dependencies

AI disclosure.

• I used an AI tool for research, autocomplete, or in other minimal ways
• The AI tool authored small parts of the code (e.g., autocomplete, comments)
• The AI tool authored large parts of the code

Confidence level.

• I am very happy with it

[nikomatsakis]

Seems good

[nikomatsakis]

we should just remove this if, I thikn it .. serves no purpose?

[nikomatsakis]

I'd like a test that plugin validate will reject a plugin repo with a standalone skill that is illformed