fix: widen installer regex allowlists and deduplicate safeExternalHref calls

- SAFE_GO_MODULE: allow uppercase in module paths (A-Z)
- SAFE_BREW_FORMULA: allow @ for versioned formulas (python@3.12)
- SAFE_UV_PACKAGE: allow extras [standard] and equality pins ==
- Cache safeExternalHref result in skills detail API key section

src/agents/skills-install.ts

@@ -112,10 +112,11 @@ function buildNodeInstallCommand(packageName: string, prefs: SkillsInstallPrefer
 }
 
 // Strict allowlist patterns to prevent option injection and malicious package names.
-const SAFE_BREW_FORMULA = /^[a-z0-9][a-z0-9+._-]*(\/[a-z0-9][a-z0-9+._-]*){0,2}$/;
+const SAFE_BREW_FORMULA = /^[a-z0-9][a-z0-9+._@-]*(\/[a-z0-9][a-z0-9+._@-]*){0,2}$/;
 const SAFE_NODE_PACKAGE = /^(@[a-z0-9._-]+\/)?[a-z0-9._-]+(@[a-z0-9^~>=<.*|-]+)?$/;
 const SAFE_GO_MODULE = /^[a-zA-Z0-9][a-zA-Z0-9._/-]*@[a-z0-9v._-]+$/;
-const SAFE_UV_PACKAGE = /^[a-z0-9][a-z0-9._-]*(>=?[a-z0-9._-]+)?$/i;
+const SAFE_UV_PACKAGE =
+  /^[a-z0-9][a-z0-9._-]*(\[[a-z0-9,._-]+\])?(([><=!~]=?|===?)[a-z0-9.*_-]+)?$/i;
 
 function assertSafeInstallerValue(value: string, kind: string, pattern: RegExp): string | null {
   const trimmed = value.trim();