Summary
The .github/skills/security/owasp-docker/ skill ships OWASP-derived content under CC-BY-NC-SA-4.0, whose non-commercial restriction is incompatible with redistribution in our extension bundles and marketplace plugins. We need to:
- Stop shipping the skill in any collection, plugin, or extension VSIX.
- Add a permanent guard so withdrawn artifacts cannot be re-discovered by the auto-generators.
- Scrub narrative references to the retired skill from agents and prompts so the shipped surface does not advertise unavailable skills.
Other OWASP skills in .github/skills/security/ carry CC-BY-SA-4.0 (ShareAlike, attribution, no NC clause) and remain in scope.
Approach
Introduce a new removed maturity tier that lives at the source artifact level (frontmatter on SKILL.md / .agent.md / .prompt.md / .instructions.md) and short-circuits discovery, packaging, and channel selection.
Why a new tier rather than reusing deprecated:
deprecated still ships in the experimental channel for migration purposes.removed must be excluded from every channel (stable, preview, experimental) and from hve-core-all.- Source-level enforcement prevents re-introduction by
Update-HveCoreAllCollection, which currently re-adds any artifact discovered on disk.
Scope of changes
| Area |
File |
Change |
| Schema |
scripts/linting/schemas/collection-manifest.schema.json |
Add removed to both maturity enums (collection-level + item-level) |
| Schema |
scripts/linting/schemas/skill-frontmatter.schema.json |
Add maturity property with removed enum value |
| Helpers |
scripts/collections/Modules/CollectionHelpers.psm1 |
Add Get-ArtifactSourceMaturity, Test-ArtifactRemoved; honor source maturity in auto-discovery |
| Discovery |
scripts/extension/Find-CollectionManifests.ps1 |
Skip removed items alongside deprecated |
| Packaging |
scripts/extension/Prepare-Extension.ps1 |
Add removed case to Test-CollectionMaturityEligible |
| Source frontmatter |
.github/skills/security/owasp-docker/SKILL.md |
Set maturity: removed with OWASP licensing rationale |
| Manifests |
collections/security.collection.yml, security.collection.md |
Remove owasp-docker entry + table row |
| Agent narrative |
.github/agents/security/security-reviewer.agent.md |
Remove owasp-docker from skill lists |
| Subagent narrative |
.github/agents/security/subagents/skill-assessor.agent.md |
Remove name from the skill resolution example |
| Subagent narrative |
.github/agents/security/subagents/finding-deep-verifier.agent.md |
Remove name from the skill resolution example |
| Subagent narrative |
.github/agents/security/subagents/codebase-profiler.agent.md |
Remove name from the skill resolution example and any profiling block |
| Prompt |
.github/prompts/security/security-review.prompt.md |
Remove name from argument-hint and targetSkill enumeration |
| Generated artifacts |
collections/hve-core-all.collection.{yml,md}, plugins/** |
Regenerated via npm run plugin:generate |
Acceptance criteria
npm run plugin:generate succeeds and produces no plugins/**/skills/security/owasp-docker/ outputs.npm run plugin:validate, npm run lint:collections-metadata, and npm run lint:frontmatter all pass.removed is accepted in both schema enums and rejected nowhere it should be valid.- Re-running the generator does not re-introduce the skill.
SKILL.md documents why the skill is held back via an OWASP licensing comment.- No agent or prompt in the shipped surface advertises
owasp-docker as a selectable skill.
Out of scope
- Final OWASP-Docker licensing decision: tracked separately. This issue ships the mechanism to safely hold the skill out of distribution while that decision is made.
- Replacement Docker security knowledge base: to be considered after licensing resolves.
- Other OWASP skills under
CC-BY-SA-4.0 (e.g., owasp-mcp, owasp-top-10, owasp-llm, owasp-agentic, owasp-cicd, owasp-infrastructure): the open ShareAlike license keeps these in scope for distribution.
Branch
chore/remove-owasp-docker-add-removed-maturity
Summary
The
.github/skills/security/owasp-docker/skill ships OWASP-derived content underCC-BY-NC-SA-4.0, whose non-commercial restriction is incompatible with redistribution in our extension bundles and marketplace plugins. We need to:Other OWASP skills in
.github/skills/security/carryCC-BY-SA-4.0(ShareAlike, attribution, no NC clause) and remain in scope.Approach
Introduce a new
removedmaturity tier that lives at the source artifact level (frontmatter onSKILL.md/.agent.md/.prompt.md/.instructions.md) and short-circuits discovery, packaging, and channel selection.Why a new tier rather than reusing
deprecated:deprecatedstill ships in theexperimentalchannel for migration purposes.removedmust be excluded from every channel (stable, preview, experimental) and fromhve-core-all.Update-HveCoreAllCollection, which currently re-adds any artifact discovered on disk.Scope of changes
scripts/linting/schemas/collection-manifest.schema.jsonremovedto both maturity enums (collection-level + item-level)scripts/linting/schemas/skill-frontmatter.schema.jsonmaturityproperty withremovedenum valuescripts/collections/Modules/CollectionHelpers.psm1Get-ArtifactSourceMaturity,Test-ArtifactRemoved; honor source maturity in auto-discoveryscripts/extension/Find-CollectionManifests.ps1removeditems alongsidedeprecatedscripts/extension/Prepare-Extension.ps1removedcase toTest-CollectionMaturityEligible.github/skills/security/owasp-docker/SKILL.mdmaturity: removedwith OWASP licensing rationalecollections/security.collection.yml,security.collection.mdowasp-dockerentry + table row.github/agents/security/security-reviewer.agent.mdowasp-dockerfrom skill lists.github/agents/security/subagents/skill-assessor.agent.md.github/agents/security/subagents/finding-deep-verifier.agent.md.github/agents/security/subagents/codebase-profiler.agent.md.github/prompts/security/security-review.prompt.mdargument-hintandtargetSkillenumerationcollections/hve-core-all.collection.{yml,md},plugins/**npm run plugin:generateAcceptance criteria
npm run plugin:generatesucceeds and produces noplugins/**/skills/security/owasp-docker/outputs.npm run plugin:validate,npm run lint:collections-metadata, andnpm run lint:frontmatterall pass.removedis accepted in both schema enums and rejected nowhere it should be valid.SKILL.mddocuments why the skill is held back via an OWASP licensing comment.owasp-dockeras a selectable skill.Out of scope
CC-BY-SA-4.0(e.g.,owasp-mcp,owasp-top-10,owasp-llm,owasp-agentic,owasp-cicd,owasp-infrastructure): the open ShareAlike license keeps these in scope for distribution.Branch
chore/remove-owasp-docker-add-removed-maturity