Hivemind turns agent traces into skills and shares with your team

Summary

Three tactical fixes for the cross-author and cross-project duplicate skills problem on the skills Deeplake table. Each commit is independent and focused; landing all three closes the gap that produced the duplicates we currently have in prod (e.g. meta-harness-continual-learning ↔ continual-learning-meta-harness, the three near-identical hivemind-*-testing skills).

What was actually broken

1. created_at was reset on every MERGE. All 27 rows in the prod skills table have created_at == updated_at because the worker stamped now() on both fields at every INSERT. The local SKILL.md frontmatter already preserved the v=1 creation date correctly — only the DB row didn't see it.

2. deriveProjectKey hashed the raw git remote URL. Five surface forms of the same repo (git@..., https://..., with/without .git, with embedded credentials) produced five different project_key values. Two devs cloning the same repo with different URL styles ended up with disjoint state.

3. The gate only read <cwd>/.claude/skills/, never ~/.claude/skills/. Autopull lands skills under the global root regardless of scope-config; the worker only looked at the project root. With the default install=project, the gate saw zero existing skills no matter how many had been autopulled — so every mining run started from a blank slate and re-created near-identical skills.

Commits

• fix(skilify): preserve created_at across MERGE in skills table — thread the v=1 created_at through SkillWriteResult instead of stamping now().
• fix(skilify): normalize git remote URL before hashing for projectKey — collapse SSH/HTTPS/.git/cred variants to a canonical host/owner/repo form.
• fix(skilify): gate reads project + global skills, only [project] mergeable — extract the existing-skills logic into a testable module, read both roots, tag entries [project] (MERGE-eligible) or [global, read-only] (reference only). Cross-author MERGE intentionally stays forbidden in this PR.

Out of scope (filed separately)

• Cross-author MERGE with a contributors column and auto-promote me → team on cross-author edits — see activeloopai/hivemind#118. The interim restriction in this PR (MERGE only into your own project skills) avoids silently overwriting teammates' work until that lands.
• Compaction of old version rows (e.g. 7 skills-autopull-fanout-symlinks versions) — purely a storage-bloat concern, not a correctness one.

Test plan

• [x] npm run build clean
• [x] npm test — 2189 passing (was 2175 before; +14 from new tests)
• [x] New tests: skilify-state.test.ts (URL normalization, 4 cases), skilify-skill-writer.test.ts (createdAt threading through SkillWriteResult), skilify-existing-skills.test.ts (7 cases: both roots, dedupe project-wins, source tagging, char-cap placeholder)
• [x] Bundle-scan tests updated for new gate-prompt heading
• [ ] Manual smoke: run a session in a project with autopulled global skills, confirm the gate prompt now mentions them as [global, read-only]

Summary by CodeRabbit

Release Notes

• New Features

  • Skills now include creation and modification timestamps for better tracking.
  • Enhanced existing skills display showing both project and global read-only skills with clear source labels.

• Improvements

  • Clarified merge eligibility rules in skill curation prompts—only project skills are valid merge targets; global skills are reference-only references.
  • Improved project identification through consistent normalization of Git remote URLs.