chore(licensing): update security instruction attributions and compliance

[WilliamBerryiii]

chore(licensing): update security instruction attributions and compliance

Description

This PR delivers standards licensing compliance remediation for the hve-core repository. The changes address three areas across 54 files (+494/−42 lines):

1. Third-party content compliance — Removed the embedded CIS Controls v8.1 table (17 lines listing CIS 1–10) from standards-mapping.instructions.md because CIS licensing prohibits redistribution of control text. CIS lookups now delegate to the Researcher Subagent at runtime. The cross-reference table was updated from specific control numbers (e.g. 1, 2, 4, 7) to via delegation, and the per-component output template changed the CIS field to delegated — include Researcher Subagent findings or N/A.

2. OWASP attribution and licensing — Corrected the license field on three OWASP skills (owasp-agentic, owasp-llm, owasp-top-10) from MIT to CC-BY-SA-4.0. Added ## Third-Party Attribution blocks with copyright, license, source URL, modification description, and trademark notice to each SKILL.md. Added CC BY-SA 4.0 attribution footers to all 33 OWASP vulnerability reference documents (11 per skill). Added OWASP® trademark registration marks across instruction and skill files.

3. Skill metadata enrichment — Added license, metadata (authors, spec_version, framework_revision, last_updated, skill_based_on, content_based_on), and compatibility fields to all 12 skill SKILL.md frontmatters. Expanded skill-frontmatter.schema.json with property definitions for these three fields (+43 lines). Documented the new fields in docs/contributing/skills.md (+57 lines).

Supporting artifacts: THIRD-PARTY-NOTICES file (84 lines, 8 external sources), a "Licensing" subsection in README.md explaining the dual-license model (MIT repository + CC BY-SA 4.0 for OWASP-derived content), and plugin README regeneration reflecting CIS reclassification.

Detailed Change Breakdown

Commit 1: 2df4ce6c — CIS removal and delegation

standards-mapping.instructions.md (59 lines changed):

• Removed: 17-line "Embedded CIS Controls" section containing CIS 1–10 control table
• Added: CIS row to Researcher Subagent delegation table with "License terms prohibit redistribution; use runtime lookup"
• Updated: Removed CIS from the "Do NOT delegate" instruction line
• Updated: Cross-reference table — 8 rows changed from specific CIS control numbers to via delegation
• Updated: Per-component output template CIS field to delegated — include Researcher Subagent findings or N/A
• Updated: Description frontmatter from "Embedded OWASP, NIST, and CIS" to "Embedded OWASP and NIST"
• Added: 13-line ## Third-Party Attribution section (OWASP CC BY-SA 4.0, NIST public domain)
• Added: OWASP® trademark registration marks

sssc-standards.instructions.md (+28 lines):

• Added ## Third-Party Attribution section covering 6 external standards: OpenSSF Scorecard (Apache 2.0), SLSA (Community Specification 1.0), Best Practices Badge (MIT + CC BY 3.0+), Sigstore (Apache 2.0), SPDX (Community Specification 1.0), CycloneDX (Apache 2.0)
• Added OpenSSF® trademark notice

identity.instructions.md: Updated description to remove CIS reference in standards coverage summary.

3 plugin READMEs: Updated CIS wording from "embedded" to "runtime lookup via Researcher Subagent."

Commit 2: d4b073b7 — License metadata and OWASP attribution

12 SKILL.md files — Added frontmatter fields to all skills:

Skill	License	metadata fields	compatibility
owasp-agentic	CC-BY-SA-4.0	authors, spec_version, framework_revision, last_updated, content_based_on	CC BY-SA 4.0 attribution required
owasp-llm	CC-BY-SA-4.0	authors, spec_version, framework_revision, last_updated, content_based_on	CC BY-SA 4.0 attribution required
owasp-top-10	CC-BY-SA-4.0	authors, spec_version, framework_revision, last_updated, content_based_on	CC BY-SA 4.0 attribution required
9 other skills	MIT	authors, spec_version (varies)	runtime-specific (Python, Node, etc.)

33 OWASP reference files — Added CC BY-SA 4.0 attribution footer to each vulnerability reference document:

• .github/skills/security/owasp-agentic/references/01–10 (11 files)
• .github/skills/security/owasp-llm/references/01–10 (11 files)
• .github/skills/security/owasp-top-10/references/01–10 (11 files)

3 OWASP SKILL.md files — Added ## Third-Party Attribution blocks with copyright, license identifier, source URL, modification description, and OWASP® trademark notice.

skill-frontmatter.schema.json (+43 lines):

• Added license property (SPDX identifier, string, max 128 chars)
• Added compatibility property (runtime requirements, string, max 256 chars)
• Added metadata object with 6 optional sub-properties: authors, spec_version, framework_revision, last_updated (ISO 8601 pattern), skill_based_on, content_based_on

THIRD-PARTY-NOTICES (new file, 84 lines) — Centralized attribution for 8 external sources:

Source	License	Usage
OWASP Top 10, LLM Top 10, Agentic Top 10	CC BY-SA 4.0	Restructured into skill reference documents
NIST SP 800-53 Rev 5 & AI RMF 1.0	Public Domain (17 U.S.C. § 105)	Referenced in instructions and cross-reference tables
OpenSSF Scorecard	Apache 2.0	Referenced in SSSC standards instructions
SLSA	Community Specification 1.0	Referenced in SSSC standards instructions
OpenSSF Best Practices Badge	MIT + CC BY 3.0+	Referenced in SSSC standards instructions
Sigstore	Apache 2.0	Referenced in SSSC standards instructions
SPDX	Community Specification 1.0	Referenced in SSSC standards instructions
CycloneDX, NTIA SBOM	Apache 2.0, Public Domain	Referenced in SSSC standards instructions

README.md (+8 lines) — Added "Licensing" subsection:

Most content in this repository is covered by the MIT License. Certain skill content derived from OWASP Foundation publications is licensed under CC BY-SA 4.0. Each affected skill identifies its license in frontmatter and includes a Third-Party Attribution section.

prompt-builder.instructions.md: Added license to the list of required SKILL.md frontmatter fields (valid-keys enumeration).

Commit 3: 81d2d51d — Contributing documentation

docs/contributing/skills.md (+57 lines):

• Added compatibility field documentation with description and examples
• Added guidance for declaring runtime requirements in skill frontmatter

Commit 4: b702d0cc — Table formatting

docs/contributing/skills.md: Normalized table column widths to pass the format:tables CI check.

Related Issue(s)

Closes #1295

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

These changes modify metadata and attribution content on existing instruction and skill files. No new agent, prompt, or skill invocation is introduced. The artifacts continue to function identically — users invoke them through the same prompts and workflows as before.

Execution Flow:

1. OWASP skills (owasp-agentic, owasp-llm, owasp-top-10) load their SKILL.md and reference files during security review workflows. The license field now correctly declares CC-BY-SA-4.0 and each reference file includes a CC BY-SA 4.0 footer.
2. standards-mapping.instructions.md no longer contains embedded CIS Controls content. When CIS lookup is needed, the instruction delegates to the Researcher Subagent for runtime retrieval.
3. sssc-standards.instructions.md includes a Third-Party Attribution section identifying six external standard sources.
4. All 12 skills now expose license and metadata fields in frontmatter, enabling downstream tooling to detect licensing requirements automatically.

Output Artifacts:

No new output artifacts are created by invoking these AI artifacts. The changes affect metadata, attribution, and compliance content only.

Success Indicators:

• npm run validate:skills passes with all 12 skills validated.
• npm run lint:frontmatter passes with all frontmatter fields valid.
• OWASP skill SKILL.md files show license: CC-BY-SA-4.0 and a ## Third-Party Attribution section.
• Non-OWASP skill SKILL.md files show license: MIT.
• All 33 OWASP reference files end with a CC BY-SA 4.0 attribution footer.

Testing

Automated validation performed:

Check	Command	Status
Markdown linting	npm run lint:md	✅ Pass (0 errors, 195 files)
Spell checking	npm run spell-check	✅ Pass (0 issues, 318 files)
Frontmatter validation	npm run lint:frontmatter	✅ Pass (0 errors, 0 warnings)
Skill structure validation	npm run validate:skills	✅ Pass (12 skills, 0 errors)
Link validation	npm run lint:md-links	✅ Pass
PowerShell analysis	npm run lint:ps	✅ Pass (0 issues)
Plugin freshness	npm run plugin:generate	✅ Pass (no uncommitted changes)

Manual testing was not performed. Changes are metadata, attribution, and documentation only.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (N/A — no testable functionality added)

AI Artifact Contributions

• Used /prompt-analyze to review contribution (N/A — metadata-only changes to existing artifacts; no new agents, prompts, or skills introduced)
• Addressed all feedback from prompt-builder review (N/A — metadata-only changes)
• Verified contribution follows common standards and type-specific requirements (N/A — validated via npm run validate:skills and npm run lint:frontmatter)

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues (N/A — no dependency changes)
• Security-related scripts follow the principle of least privilege (N/A — no security scripts modified)

GHCP Artifact Maturity

Warning

This PR includes experimental GHCP artifacts that may have breaking changes.

• .github/instructions/security/identity.instructions.md
• .github/instructions/security/sssc-standards.instructions.md
• .github/instructions/security/standards-mapping.instructions.md
• .github/skills/experimental/powerpoint/SKILL.md
• .github/skills/experimental/video-to-gif/SKILL.md
• .github/skills/experimental/vscode-playwright/SKILL.md
• .github/skills/security/owasp-agentic/SKILL.md
• .github/skills/security/owasp-llm/SKILL.md
• .github/skills/security/owasp-top-10/SKILL.md

File	Type	Maturity	Notes
.github/instructions/hve-core/prompt-builder.instructions.md	Instructions	✅ stable	All builds
.github/instructions/security/identity.instructions.md	Instructions	⚠️ experimental	Security collection
.github/instructions/security/sssc-standards.instructions.md	Instructions	⚠️ experimental	Security collection
.github/instructions/security/standards-mapping.instructions.md	Instructions	⚠️ experimental	Security collection
.github/skills/experimental/powerpoint/SKILL.md	Skill	⚠️ experimental	Experimental collection
.github/skills/experimental/video-to-gif/SKILL.md	Skill	⚠️ experimental	Experimental collection
.github/skills/experimental/vscode-playwright/SKILL.md	Skill	⚠️ experimental	Experimental collection
.github/skills/gitlab/gitlab/SKILL.md	Skill	✅ stable	GitLab collection
.github/skills/installer/hve-core-installer/SKILL.md	Skill	✅ stable	Installer collection
.github/skills/jira/jira/SKILL.md	Skill	✅ stable	Jira collection
.github/skills/security/owasp-agentic/SKILL.md	Skill	⚠️ experimental	Security collection
.github/skills/security/owasp-llm/SKILL.md	Skill	⚠️ experimental	Security collection
.github/skills/security/owasp-top-10/SKILL.md	Skill	⚠️ experimental	Security collection
.github/skills/shared/pr-reference/SKILL.md	Skill	✅ stable	hve-core collection

GHCP Maturity Acknowledgment

• I acknowledge this PR includes non-stable GHCP artifacts
• Non-stable artifacts are intentional for this change

Additional Notes

• The THIRD-PARTY-NOTICES file follows Microsoft OSS conventions with per-source attribution blocks containing license identifier, source URL, usage description, and modification notes where applicable.
• CIS Controls v8.1 content was the only embedded material that required removal. NIST content is public domain (17 U.S.C. § 105) and OWASP content is now properly attributed under CC BY-SA 4.0.
• The metadata.content_based_on field in OWASP skill frontmatter links directly to the upstream OWASP publication, enabling automated provenance verification.
• Plugin READMEs were regenerated via npm run plugin:generate to reflect CIS reclassification from "embedded" to "runtime lookup via Researcher Subagent."
• The compatibility field was added to the JSON schema and three OWASP SKILL.md files to indicate CC BY-SA 4.0 attribution requirements for downstream consumers.
• Trademark registration marks (®) were added for OWASP and OpenSSF across relevant files.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.62%. Comparing base (0c30bad) to head (8b12490).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1294      +/-   ##
==========================================
- Coverage   87.63%   87.62%   -0.02%     
==========================================
  Files          61       61              
  Lines        9328     9328              
==========================================
- Hits         8175     8174       -1     
- Misses       1153     1154       +1     

Flag	Coverage Δ
pester	85.18% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Automated PR Review — chore/update-security-instruction-attributions

This PR delivers well-scoped licensing compliance work: correcting OWASP license fields, removing redistributable CIS Controls content, adding attribution blocks and THIRD-PARTY-NOTICES, and enriching skill frontmatter with license, metadata, and compatibility fields. The implementation is clean and the automated validation table is thorough. Two required process items must be addressed before merge.

---

⚠️ Issue Alignment

No issue is linked to this PR.

The "Related Issue(s)" section explicitly states "No linked issues." Per the repository contribution guidelines, every PR must reference an issue using "Fixes #", "Closes #", or "Resolves #" so changes can be traced to a tracked work item.

Required action: Open an issue describing the licensing compliance gap (e.g., "Remediate OWASP and CIS licensing in hve-core") and link it to this PR before merging.

---

⚠️ PR Template Compliance

AI Artifact Contributions checklist — unchecked

The "Type of Change" section has both Copilot instructions and Copilot skill checked, which means the AI Artifact Contributions checklist in the "Checklist" section is required. All three items are currently unchecked:

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required action: Complete the AI Artifact Contributions checklist, or explicitly mark items as N/A with justification if they do not apply to metadata-only changes.

GHCP Maturity Acknowledgment — unchecked (manual action required)

The PR correctly identifies 10 non-stable GHCP artifacts under "GHCP Artifact Maturity" but the two acknowledgment checkboxes are unchecked:

• I acknowledge this PR includes non-stable GHCP artifacts
• Non-stable artifacts are intentional for this change

These require manual author acknowledgment before merge.

---

🔍 Coding Standards

Changes to .github/instructions/*.instructions.md, SKILL.md files, and docs/contributing/skills.md all follow the applicable conventions from prompt-builder.instructions.md, markdown.instructions.md, and writing-style.instructions.md. No violations found.

The THIRD-PARTY-NOTICES file uses (www.bestpractices.dev/redacted) (no trailing slash) while sssc-standards.instructions.md uses `(www.bestpractices.dev/redacted) This is a cosmetic inconsistency that does not affect correctness.

---

✅ Code Quality

• License field corrections (MIT → CC-BY-SA-4.0) on the three OWASP skills are accurate and consistent with the upstream OWASP Foundation licensing.
• CIS Controls removal from embedded content is appropriate given redistribution restrictions; delegation to the Researcher Subagent is the correct pattern.
• Attribution blocks in reference files and SKILL.md files are consistent and well-formatted.
• JSON schema additions in skill-frontmatter.schema.json are correct; see inline comment for a non-blocking observation on additionalProperties: true for the metadata object.
• Plugin README regeneration is consistent with the npm run plugin:generate workflow.

---

📋 Required Actions Before Merge

1. Link a GitHub issue to this PR (Fixes #NNNN or Resolves #NNNN).
2. Complete or address the AI Artifact Contributions checklist (three unchecked items under "Checklist → AI Artifact Contributions").
3. Check the GHCP Maturity Acknowledgment boxes manually to confirm awareness of the non-stable artifacts included.

Generated by PR Review for issue #1294

[WilliamBerryiii]

@JasonTheDeveloper ... sorry for closing your PR ... but this mess is what needed to be done ..

Addressed

[raymond-nassar]

PR Review — chore/update-security-instruction-attributions

Well-scoped licensing compliance work. The CIS removal, OWASP license corrections, and attribution blocks are all appropriate. Two inline comments below, plus one general observation:

Skill Coverage

The PR description claims all 12 skills were updated with license, metadata, and compatibility fields, but only 10 SKILL.md files appear in the diff. Can you confirm whether security-reviewer-formats/SKILL.md (and any other missing skill) already has these fields, or whether they were inadvertently skipped?

Overall

The THIRD-PARTY-NOTICES file, README licensing subsection, and reference file attribution footers are thorough and consistent. Automated validation passing across all checks is a good sign. See the two inline comments for minor items.

[raymond-nassar]

Two minor changes requested, but everything else seems good to go.