fix(skills): scope skill reads to caller owner (#777)

read_skill_md and read_skill_reference walk all skill files via
_iter_skill_files and return the first match by slug, regardless
of owner. In a multi-user deployment where two users have skills
with the same slug under different categories, a caller scoped
to owner='alice' can read Bob's skill content.

This is the same cross-tenant leak class as the update_skill /
delete_skill fix (PR #755, merged), but on the read path.

Changes:
- read_skill_md / read_skill_reference accept owner= param (default
  None = match ownerless only, matching the write-path convention).
- 7 callers updated: tool_implementations.py (view, view_ref, patch),
  builtin_actions.py (test_skills), skills_routes.py (audit, source,
  test routes).
- Tests: read scoping (alice reads hers, not bob's), positive update
  scoping (alice can mutate her own), ownerless-match default.

tests/test_skills_manager_owner_isolation.py

@@ -193,3 +193,72 @@ def test_update_skill_scalar_keys_exclude_owner():
         "The fix removed this to prevent cross-user ownership reassignment "
         "via the updates dict."
     )
+
+
+def test_read_skill_md_scopes_to_owner(tmp_path):
+    """Two users own distinct skills with the same slug. read_skill_md()
+    called with owner='alice' must return Alice's content, not Bob's.
+    Called without an owner it must match only ownerless skills."""
+    skills_root = tmp_path / "skills"
+    skills_root.mkdir(parents=True, exist_ok=True)
+
+    alice_path = _write_skill_md(
+        skills_root, category="alice-cat", name="login-flow",
+        owner="alice", description="alice secret",
+    )
+    bob_path = _write_skill_md(
+        skills_root, category="bob-cat", name="login-flow",
+        owner="bob", description="bob secret",
+    )
+
+    sm = SkillsManager(str(tmp_path))
+
+    alice_md = sm.read_skill_md("login-flow", owner="alice")
+    assert alice_md is not None, "read_skill_md returned None for alice's skill"
+    assert "alice secret" in alice_md, (
+        f"read_skill_md(owner='alice') returned the wrong file: {alice_md[:200]}"
+    )
+
+    bob_md = sm.read_skill_md("login-flow", owner="bob")
+    assert bob_md is not None, "read_skill_md returned None for bob's skill"
+    assert "bob secret" in bob_md, (
+        f"read_skill_md(owner='bob') returned the wrong file: {bob_md[:200]}"
+    )
+
+    no_owner_md = sm.read_skill_md("login-flow")
+    assert no_owner_md is None, (
+        "read_skill_md without owner matched an owned skill — "
+        "default should only match ownerless skills. Got: "
+        f"{no_owner_md[:200] if no_owner_md else 'None'}"
+    )
+
+
+def test_update_skill_positive_scoping(tmp_path):
+    """Alice CAN update her own skill. Two users with the same slug;
+    update_skill(owner='alice') modifies only Alice's file."""
+    skills_root = tmp_path / "skills"
+    skills_root.mkdir(parents=True, exist_ok=True)
+
+    alice_path = _write_skill_md(
+        skills_root, category="alice-cat", name="login-flow",
+        owner="alice", description="alice original",
+    )
+    bob_path = _write_skill_md(
+        skills_root, category="bob-cat", name="login-flow",
+        owner="bob", description="bob original",
+    )
+
+    sm = SkillsManager(str(tmp_path))
+
+    ok = sm.update_skill("login-flow", {"description": "alice updated"}, owner="alice")
+    assert ok, "update_skill(owner='alice') should succeed on alice's file"
+
+    after_alice = alice_path.read_text(encoding="utf-8")
+    after_bob = bob_path.read_text(encoding="utf-8")
+
+    assert "alice updated" in after_alice, (
+        "Alice's file was not updated despite passing owner='alice'."
+    )
+    assert "bob original" in after_bob and "alice updated" not in after_bob, (
+        "Bob's file was mutated by Alice's update_skill call — cross-tenant leak."
+    )