Fix workspace-scoped Codex skill discovery

[Quicksaver]

Summary

Fix Codex repo-local skill discovery in the composer by resolving skills for the active project/worktree cwd, instead of relying on the global provider status snapshot.

The bug showed up because Codex discovers local skills relative to the cwd used for the skills/list call. A provider-level status snapshot is not tied to the currently selected project/worktree, so desktop/web surfaces could show only global/provider skills even though running Codex directly from the repository correctly finds .agents/skills or .codex/skills.

This also removes backend process.cwd() leakage from Codex/Grok/Cursor provider probes. Provider checks now receive an explicit fallback cwd, so probe behavior does not accidentally depend on where the T3 backend process happened to be launched.

What Changed

• Add server.listProviderSkills RPC with typed contracts, client runtime wiring, and WebSocket handler coverage.
• Add workspace-aware Codex skill listing that calls Codex skills/list with the requested project/worktree cwd.
• Validate and normalize Codex skill-listing cwd server-side before invoking Codex.
• Add a timeout around Codex skill listing so a stalled skills/list call does not leave the composer loading indefinitely.
• Load workspace skills for the active composer workspace so both $ suggestions and inline skill chip metadata use repo-local skill data.
• Surface workspace skill-listing errors in the $ menu instead of presenting them as an empty skill set.
• Keep workspace skill state fresh across provider invalidation, reconnects, and environment/workspace changes.
• Bound the workspace skills cache and avoid preserving stale skill results while switching cwd/environment targets.
• Pass explicit cwd into Codex, Grok, and Cursor provider status probes.
• Add tests for provider skill-listing branches, provider probe cwd behavior, and stale pending workspace-skill state.

Why

Fixes #3040. Unsure when or where exactly this started happening, for me I merged in quite a large batch of upstream commits at once when it started happening.

The cwd fix is necessary but not sufficient on its own. Passing the correct cwd to provider startup and probes makes provider execution predictable, but the composer still needs a workspace-specific skill query because the provider status snapshot is global/provider-scoped rather than project-scoped.

serverConfig.cwd remains fine for provider configuration. The important change is that every Codex CLI interaction that depends on local repository context, including skills/list, receives the cwd for the active project/worktree instead of falling back to the backend process cwd or a stale provider snapshot.

The extra client-side state exists so skill suggestions and inline skill chips can use workspace-scoped data, refresh when the active environment/workspace changes, and avoid showing stale local skills from a previous cwd while a new workspace query is pending.

Validation

• ./node_modules/.bin/vp check
• ./node_modules/.bin/vp run typecheck
• ./node_modules/.bin/vp test apps/server/src/server.test.ts
• ./node_modules/.bin/vp test apps/web/src/lib/providerWorkspaceSkillsState.test.ts

Checklist

• This PR is small and focused
• I explained what changed and why

---

Note

Medium Risk
Spawns Codex app-server on skill list with cwd validation and new WS surface area; provider probe cwd changes affect Codex/Cursor/Grok status checks.

Overview
Adds server.listProviderSkills end-to-end (contracts, WS RPC, client runtime) so the composer can load workspace-scoped provider skills instead of only the global provider status snapshot.

For Codex, enabled instances validate/normalize the requested project cwd, prepare Codex home, and call app-server skills/list with that cwd via new listCodexProviderSkills. Non-Codex drivers and disabled Codex still return snapshot skills. Codex, Cursor, and Grok provider status probes now take an explicit cwd (from ServerConfig in drivers) instead of process.cwd().

The web layer adds useProviderWorkspaceSkills (cached fetch, pending/empty behavior on cwd switches) and wires ChatComposer skill menus and inline chips to it.

^{Reviewed by Cursor Bugbot for commit 6acc264. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Fix workspace-scoped Codex skill discovery by passing cwd through provider status checks

• Adds a new server.listProviderSkills RPC endpoint that returns skills for a specific provider instance and workspace cwd, with special handling for Codex providers.
• Codex skill listing spawns a scoped app-server client process in the specified cwd, resolves the Codex home layout, and applies a 15s timeout; failures produce structured ServerProviderSkillsListError responses.
• Provider status check functions (checkCodexProviderStatus, checkCursorProviderStatus, checkGrokProviderStatus) now accept an explicit cwd parameter instead of using process.cwd().
• Adds useProviderWorkspaceSkills React hook in providerWorkspaceSkillsState.ts with LRU caching (max 100 entries) and cache invalidation on environment/provider changes.
• Integrates workspace-scoped skills into ChatComposer.tsx, showing a loading state while fetching and surfacing backend error messages in the skill menu.

^{Macroscope summarized 6acc264.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ef380475-6e00-4704-a1bb-c10ec0f584e0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR introduces a new feature (workspace-scoped skill discovery) with a new RPC endpoint, new client-side state management hook with caching, and changes to how multiple providers discover skills. The aggregate scope and new runtime behavior warrant human review.

^{You can customize Macroscope's approvability policy. Learn more.}