Summary

Remediate standards licensing compliance across security instructions and skill packages in hve-core. The repository includes content derived from external standards (OWASP, CIS, NIST, OSSF) that requires proper attribution, license declarations, and redistribution compliance.

Problem

1. CIS Controls v8.1 content embedded in standards-mapping.instructions.md — CIS licensing prohibits redistribution of their controls content, but the file contained embedded CIS mappings.
2. OWASP skills declared license: MIT — Three OWASP-derived skills (owasp-agentic, owasp-llm, owasp-top-10) contain content licensed under CC BY-SA 4.0, but their frontmatter declared MIT. The 33 OWASP vulnerability reference files lacked CC BY-SA 4.0 attribution footers.
3. Missing THIRD-PARTY-NOTICES — No centralized third-party attribution file existed for the repository.
4. Incomplete skill metadata — Skills lacked license, metadata, and compatibility fields in frontmatter, preventing automated license detection.
5. Contributing docs gaps — The skills contributing guide did not document the new metadata fields or the compatibility field in the schema.

Acceptance Criteria

• CIS Controls content removed and replaced with runtime Researcher Subagent delegation
• OWASP skills declare license: CC-BY-SA-4.0 with attribution blocks in SKILL.md
• All 33 OWASP reference files include CC BY-SA 4.0 footers
• Non-OWASP skills declare license: MIT
• THIRD-PARTY-NOTICES file created covering all external sources
• README.md includes a Licensing subsection explaining the dual-license model
• All 12 skills include license and metadata fields in frontmatter
• compatibility field added to skill schema and documented
• docs/contributing/skills.md documents new fields
• npm run validate:skills passes (12/12)
• npm run lint:frontmatter passes
• Plugins regenerated to reflect CIS reclassification

Implementation

Addressed in PR #1294 across 4 commits and 56 changed files.