Advisory review — this PR is from a maintainer. Findings are informational only.

Review Overview

This PR cleanly implements the removed maturity tier as a first-class source-level exclusion mechanism, retires owasp-docker from all distribution channels, and provides comprehensive Pester coverage across collection helpers, extension preparation, plugin generation, and schema enforcement. The issue acceptance criteria (Issue #1442) are fully met, and the approach — enforcing exclusion at the source frontmatter level to prevent re-introduction by auto-generators — is sound.

Issue Alignment ✅

Issue: #1442 — Remove owasp-docker skill and introduce 'removed' maturity tier

All acceptance criteria are satisfied:

• plugins/**/skills/security/owasp-docker/ symlinks removed.
• removed accepted in both schema enums (collection-manifest and skill-frontmatter).
• Re-running the generator does not re-introduce the skill (Update-HveCoreAllCollection now filters removed items).
• SKILL.md documents the licensing rationale via an inline YAML comment.
• No agent or prompt in the shipped surface advertises owasp-docker.

PR Template Compliance ✅

Description is complete and well-written. Issue reference (Closes #1442) is present. Type of Change checkboxes (new feature, breaking change, documentation update, prompt/agent/skill, script/automation) accurately reflect the diff. Sample Prompts section is populated for the AI artifact changes. Testing section documents 2036 passing tests and the pre-existing validate:skills failure is correctly disclosed with a note that it is unrelated and tracked separately. All required checklist items are checked, with the one unchecked validate:skills item transparently explained.

Coding Standards ✅ (with two minor notes — see inline comments)

The PowerShell conventions are followed throughout: copyright headers, #Requires -Version 7.0, [CmdletBinding()], comment-based help with .SYNOPSIS, .DESCRIPTION, .PARAMETER, .OUTPUTS, and Export-ModuleMember listing. One new test file (Schemas-RemovedMaturity.Tests.ps1) has two minor convention deviations flagged in the inline comments: incorrect #Requires / copyright ordering, and missing -Tag 'Unit' on Describe blocks.

Code Quality ✅

• Get-ArtifactSourceMaturity: Regex (?s)^---\s*\r?\n(.*?)\r?\n--- is correct and handles the YAML comment present in owasp-docker/SKILL.md since ConvertFrom-Yaml strips comments before parsing. The null-return path for missing files, missing frontmatter, and malformed YAML is well-guarded.
• Test-ArtifactRemoved: Thin, single-responsibility wrapper — correct. PowerShell's -eq is case-insensitive by default, which is a reasonable tolerance here given schema validation enforces the lowercase removed value at the source.
• Prepare-Extension.ps1: All four discovery functions (Get-DiscoveredAgents, Get-DiscoveredPrompts, Get-DiscoveredInstructions, Get-DiscoveredSkills) now filter removed artifacts. The skill discovery correctly passes $_.Directory.FullName (the skill directory) rather than the SKILL.md path, which aligns with the directory-resolution branch in Get-ArtifactSourceMaturity.
• Update-HveCoreAllCollection: The additional guard runs before the deprecated-item filter, which is the correct ordering to prevent re-introduction by the all-collection generator.
• Collection manifests / plugin outputs: Removal of the owasp-docker entry from hve-core-all and security manifests is consistent and complete.

Action Items

1. (Minor) Fix #Requires / copyright order in scripts/tests/linting/Schemas-RemovedMaturity.Tests.ps1 (see inline comment, line 4).
2. (Minor) Add -Tag 'Unit' to both Describe blocks in scripts/tests/linting/Schemas-RemovedMaturity.Tests.ps1 (see inline comment, line 14).

Both items are low-risk corrections to a new test file before merge.

Generated by PR Review for issue #1444 · ● 2M

Advisory review, this PR is from a maintainer. Findings are informational only.

Review Summary

This PR implements the removed maturity tier across the schema, collection manifests, tooling, tests, and documentation, and uses it to retire the owasp-docker skill — a well-scoped, well-executed change. The PR description is complete, the linked issue (#1442) is fully addressed in scope, and the template is filled correctly. Most of the implementation is clean and consistent with existing patterns.

One important gap worth addressing before this lands is described below, alongside two lower-priority observations.

Issue Alignment

✅ Addresses all requirements from #1442:

• Schema updated to include removed at both collection and item levels
• owasp-docker marked maturity: removed in security.collection.yml
• Update-HveCoreAllCollection guard added to skip removed items during plugin generation
• Narrative references to owasp-docker scrubbed from agent, prompt, and documentation files
• Plugin outputs regenerated

No scope creep and no missing acceptance criteria detected.

PR Template Compliance

✅ All required sections present and filled.
✅ Type-of-change checkboxes match the actual diff (Copilot skill, Copilot agent, Copilot prompt, Copilot instructions all changed; corresponding checkboxes checked).
✅ Testing section describes specific commands and observed results.
✅ AI Artifact Contributions checklist items checked.

Code Quality

⚠️ Important: Re-discovery gap in hve-core-all.collection.yml

See inline comment on collections/hve-core-all.collection.yml:588.

Update-HveCoreAllCollection (called by Generate-Plugins.ps1:205) discovers artifacts by scanning .github/skills/ on disk and defaults any item not already in the manifest to maturity: 'stable'. Because the owasp-docker entry was deleted from hve-core-all rather than retained with maturity: removed, the guard at CollectionHelpers.psm1:518 will never fire for it — the item is invisible to the check, and the next npm run plugin:generate will silently re-add owasp-docker to hve-core-all with maturity: stable.

Suggested fix: retain the entry in hve-core-all.collection.yml with maturity: removed:

- path: .github/skills/security/owasp-docker
  kind: skill
  maturity: removed

This is consistent with the documentation added in this PR ("Every collection that references the artifact must carry the same marker") and makes the guard function as designed on every subsequent invocation.

💡 Minor: removed guard pattern is inconsistent with deprecated

See inline comment on scripts/collections/Modules/CollectionHelpers.psm1:518.

deprecated items use a named helper (Test-ArtifactDeprecated) and a running counter ($deprecatedCount) surfaced in summary output. removed items use an inline string comparison and no counter. The linked issue called for a Test-ArtifactRemoved helper. Neither is blocking, but aligning the pattern would improve maintainability.

💡 Minor: New test covers "item already in manifest with maturity: removed" but not "item absent from manifest"

See inline comment on scripts/tests/collections/CollectionHelpers.Tests.ps1:644.

The test exercises the guard correctly for items pre-seeded in hve-core-all with maturity: removed. A complementary test starting with an hve-core-all that does not mention the artifact at all would cover the other critical path and lock down the full contract.

Coding Standards

✅ PowerShell files include copyright headers in correct position.
✅ #Requires -Modules Pester appears before the copyright header in the new test file, matching the Pester instructions.
✅ New functions include comment-based help with .SYNOPSIS, .DESCRIPTION, .PARAMETER, .OUTPUTS.
✅ $TestDrive usage in existing tests is consistent; the new Find-CollectionManifests test uses the same manual temp-dir pattern already established in that file.
✅ Schema files are valid JSON with correct enum additions.
✅ YAML comments inside SKILL.md frontmatter (between user-invocable and metadata) are syntactically valid.

Action Items

1. [Recommended] Retain owasp-docker in hve-core-all.collection.yml with maturity: removed to ensure the permanent guard fires on all future plugin:generate runs.
2. [Optional] Introduce Test-ArtifactRemoved helper and $removedCount metric to match the deprecated pattern.
3. [Optional] Add a test case for the "artifact on disk but absent from hve-core-all" scenario to fully cover the re-discovery guard contract.

Generated by PR Review for issue #1444 · ● 4.2M

Advisory review — this PR is from a maintainer. Findings are informational only.

Review Summary

This is a well-scoped, thoughtfully executed change. The removed maturity tier is enforced consistently across five distinct surfaces (collection helpers, validation, extension packaging, plugin generation, and schema), and the documentation and test coverage are proportionate to the mechanism's complexity. The PR description aligns cleanly with the linked issue (#1442), and all acceptance criteria are met.

Two inline comments are posted above. An additional observation follows below.

Issue Alignment ✅

All items in the issue scope table are addressed. The deliberate decision to keep maturity out of per-artifact frontmatter (deviating from the issue's mention of skill-frontmatter.schema.json) is clearly justified in docs/architecture/ai-artifacts.md — the collection YAML is the single source of truth. That reasoning is sound and the documentation explains it well.

PR Template Compliance ✅

All required sections are filled. The unchecked validate:skills item is appropriately annotated as a pre-existing failure unrelated to this change.

Coding Standards

⚠️ Test file header ordering (inline comment posted)

scripts/tests/linting/Schemas-RemovedMaturity.Tests.ps1 places the copyright header before #Requires -Modules Pester. Per pester-tests.instructions.md, the #Requires statement must appear first. Every other test file in scripts/tests/ follows this pattern; this new file is the only exception.

Documentation

⚠️ Exclusion mechanism table credits wrong function (inline comment posted)

docs/architecture/ai-artifacts.md line 460 attributes the extension packaging exclusion to Get-AllowedMaturities, but the explicit enforcement added by this PR is in Test-CollectionMaturityEligible. Get-AllowedMaturities excludes removed by omission (the tier was never in its return list), which is correct behavior, but the documentation should credit the function that was actually changed and that provides the active guard.

Code Quality

💡 Missing test coverage for Validate-Collections.ps1 orphan check changes

Validate-Collections.ps1 has non-trivial new logic for the removed tombstone case — the orphan check at lines 406–420 now distinguishes between an artifact with no active themed occurrences (all removed) and a genuine orphan. Validate-Collections.Tests.ps1 has zero references to removed and no test exercising this path.

The tombstone-skip branch and the check-4 update ($activeThemedMatches) are both new code paths. A test that constructs a collection with a removed item in a themed manifest absent from hve-core-all, runs Invoke-CollectionValidation, and asserts zero errors would close this gap. Existing tests pass, but this specific scenario is untested.

Minor Observations

• scripts/tests/collections/CollectionHelpers.Tests.ps1 ends with two trailing blank lines after the last test block (lines 660–661). The rest of the file uses a single trailing newline. Non-blocking.
• The YAML comment added in owasp-docker/SKILL.md frontmatter is technically valid, but the rationale is invisible in the rendered Markdown view. Consider adding a brief > [!NOTE] admonition in the skill body for human-facing discoverability, since this skill is kept on disk specifically for historical reference.

Action Items

Generated by PR Review for issue #1444 · ● 2.8M

Advisory review, this PR is from a maintainer. Findings are informational only.

Review Summary

This is a well-structured PR. The removed maturity tier is correctly threaded through all four enforcement surfaces (collection validation, plugin generation, extension packaging, and collection helpers), and the design rationale for choosing collection-YAML as the single source of truth over per-artifact frontmatter is sound and well-documented. Test coverage is comprehensive across all modified scripts.

Four minor advisory findings are inline-commented; none are blocking.

Issue Alignment ✅

PR closely implements every item in the issue #1442 scope table. One deliberate deviation: the issue spec listed adding a maturity property to skill-frontmatter.schema.json, but the PR intentionally omits this to keep the collection YAML as the unambiguous source of truth. The decision is documented clearly in docs/architecture/ai-artifacts.md and the PR description. The skill-frontmatter.schema.json diff only adds a trailing newline (fixing a pre-existing "no newline at EOF" warning).

PR Template Compliance ✅

All required sections are completed. The unchecked npm run validate:skills item is correctly annotated with a pre-existing failure rationale unrelated to this PR.

Coding Standards

Four minor findings (see inline comments):

1. scripts/tests/linting/Schemas-RemovedMaturity.Tests.ps1 — #Requires -Modules Pester appears after the copyright header; per pester-test.instructions.md it must come first.
2. scripts/tests/linting/Schemas-RemovedMaturity.Tests.ps1 — Describe block is missing -Tag 'Unit'.
3. scripts/tests/collections/CollectionHelpers.Tests.ps1 — New Describe block is missing -Tag 'Unit'.
4. docs/architecture/ai-artifacts.md — The "Collection-YAML Marker" code example uses .github/skills/security/owasp-docker/SKILL.md but collection entries use the directory path (no /SKILL.md suffix), matching actual usage in security.collection.yml.

Code Quality ✅

Implementation correctness: The removed check is correctly ordered before deprecated in Update-HveCoreAllCollection, preventing re-introduction by the auto-generator. The Validate-Collections.ps1 orphan-and-cross-collection logic is correct: $activeThemedMatches properly gates the "missing from hve-core-all" error, and the tombstone path ($themedRemoved && !$themedActive) correctly suppresses the orphan failure.

Observation — Validate-Collections.ps1 test coverage gap: The most complex new logic (the $activeThemedMatches hunk at line ~373 and the tombstone orphan path at line ~406) doesn't have dedicated tests in this PR. Existing tests run against a live collection graph and likely exercise these paths indirectly (via the owasp-docker tombstone in security.collection.yml), but an isolated unit test for the two new conditional branches in Validate-Collections.ps1 would make future regressions immediately diagnosable. Worth a follow-up ticket.

Trailing blank lines: CollectionHelpers.Tests.ps1 adds two empty lines at the end of the new Describe block. Minor, but inconsistent with the single-trailing-newline convention.

Security ✅

No new dependencies. The license-incompatibility guard is effective: the removed tier creates an unconditional exclusion at every build stage so the CC-BY-NC-SA-4.0 artifact cannot be reintroduced by tooling drift.

Generated by PR Review for issue #1444 · ● 1.9M

Advisory review, this PR is from a maintainer. Findings are informational only.

Overview

This is a well-scoped, cleanly implemented PR. The removed maturity tier is correctly wired through all four distribution surfaces (collection auto-discovery, plugin generation, extension packaging, and collection validation), the schema changes are consistent, and the documentation accurately describes the invariant. Issue #1442's scope table is fully satisfied.

Issue Alignment ✅

Closes #1442. All items in the issue's scope table are addressed:

• Schema enums updated in both collection-manifest.schema.json and skill-frontmatter.schema.json
• CollectionHelpers.psm1 skips removed before the existing deprecated branch
• Find-CollectionManifests.ps1, Prepare-Extension.ps1, Generate-Plugins.ps1 each guard on removed
• Validate-Collections.ps1 updated with tombstone-aware orphan and themed-collection checks
• owasp-docker/SKILL.md annotated; collection YAML entries updated in both security.collection.yml and the regenerated hve-core-all manifests
• Agent and prompt narratives scrubbed of owasp-docker references
• Plugin symlinks removed from plugins/hve-core-all and plugins/security

No scope creep detected.

PR Template Compliance ✅

All required sections are filled. The unchecked validate:skills item is explained inline (pre-existing failure on customer-card-render, unrelated to this change) — acceptable.

Coding Standards

Two convention deviations in the new test file scripts/tests/linting/Schemas-RemovedMaturity.Tests.ps1 (inline comments filed above):

1. Header order (line 1–4): Copyright block precedes #Requires -Modules Pester. The Pester testing instructions require #Requires to be the very first line.
2. Missing -Tag 'Unit' (line 12): Describe blocks require -Tag 'Unit' per the Pester instructions. The co-located Find-CollectionManifests.Tests.ps1 applies the tag correctly.

Neither issue affects test execution, but both deviate from the repository's stated conventions.

Code Quality ✅

• The removed check in Update-HveCoreAllCollection correctly precedes the existing deprecated guard — ordering is intentional and consistent with the tier hierarchy.
• Validate-Collections.ps1's tombstone bypass logic ($activeThemedMatches / $themedRemoved) is sound: it allows a skill to exist in a themed collection as removed without triggering the canonical-orphan error, while still failing for genuinely orphaned active items.
• Select-CollectionItemsByChannel naturally excludes removed via Get-AllowedCollectionMaturities (confirmed by the new tests in Generate-Plugins.Tests.ps1); no redundant item-level guard needed.
• The YAML comment added inside owasp-docker/SKILL.md frontmatter is valid YAML and serves as useful in-file rationale. Standard YAML parsers and gray-matter-style frontmatter extractors handle inline comments correctly.

Documentation ✅

The maturity lifecycle diagram update (deprecated → removed → [*]) and the new "Removed Artifacts" section in ai-artifacts.md are accurate and consistent with the implementation. The release-process table row for removed correctly reflects "Neither" channel inclusion.

Security ✅

No new credentials, secrets, or privilege-escalation paths. The change exclusively removes a CC-BY-NC-SA-4.0 artifact from distribution — a positive security/licensing hygiene action.

Generated by PR Review for issue #1444 · ● 2M

Advisory review, this PR is from a maintainer. Findings are informational only.

Overview

This PR introduces the removed maturity tier to retire owasp-docker from all distribution channels while preserving its source for historical reference. The implementation is consistent, well-tested, and cleanly separated across schemas, collection validation, plugin generation, and extension packaging. The linked issue's acceptance criteria are fully addressed.

Issue Alignment

✅ Closes #1442. All three requirements are satisfied:

1. owasp-docker is no longer shipped in any collection, plugin, or extension — enforced by maturity: removed in security.collection.yml and the tombstone removal from hve-core-all.collection.yml.
2. The permanent guard in Update-HveCoreAllCollection (maturity propagation with strictest-wins logic) prevents re-discovery by auto-generators.
3. All narrative references (security-reviewer.agent.md, codebase-profiler.agent.md, skill-assessor.agent.md, finding-deep-verifier.agent.md, security-review.prompt.md, CUSTOM-AGENTS.md) are scrubbed.

PR Template Compliance

✅ Description is substantive and clearly explains intent, execution flow, and success indicators.
✅ Closes #1442 is present.
✅ Type of Change checkboxes are checked and match the actual diff contents.
✅ Testing section documents npm run test:ps (2036/0) and npm run lint:all results.
✅ The unchecked validate:skills item is appropriately annotated as a pre-existing, unrelated failure.

Coding Standards

⚠️ One convention violation found (see inline comment):

• scripts/tests/linting/Schemas-RemovedMaturity.Tests.ps1 — the copyright header appears before #Requires -Modules Pester. Every other test file in the repository and the pester instructions specify the reverse ordering. Test-RemovedMaturityExclusion.Tests.ps1, added in the same PR, correctly follows the convention.

Code Quality

✅ Schema changes are minimal and accurate — removed is added to both the collection-level and item-level maturity enums in collection-manifest.schema.json, with updated descriptions. The skill-frontmatter.schema.json change is a no-op (trailing newline only), consistent with the documented design that artifact frontmatter intentionally does not carry a maturity field.

✅ Update-HveCoreAllCollection maturity propagation — the strictest-maturity-wins logic (removed > deprecated > preview > stable) is correct. The loop correctly iterates all source collection manifests to propagate tombstones into the aggregated manifest.

✅ Validate-Collections.ps1 tombstone exemptions — both Check 4 (themed-but-absent-from-canonical) and the orphan check are correctly gated on $activeThemedMatches / $themedRemoved to avoid false positives for intentional tombstones.

✅ Test coverage is thorough: unit tests cover all four modified scripts (CollectionHelpers, Validate-Collections, Find-CollectionManifests, Prepare-Extension), the two new schema tests validate enum inclusion, and Test-RemovedMaturityExclusion.Tests.ps1 provides a regression guard against leaked plugin artifacts.

💡 Advisory Observations

Undisclosed bundled scope: The PR includes changes not mentioned in the PR description or in Issue #1442:

• rai-risk-classification.instructions.md is added to data-science, project-planning, and security collection YAMLs and regenerated plugins.
• Validate-Collections.ps1 adds rai-planning to $sharedSubdomainFolders to suppress validation warnings for that new addition.

These changes appear correct in isolation — the rai-planning subdomain exemption is needed precisely because those items are now referenced in collections — but their absence from the PR description and linked issue makes the PR harder to audit. Future PRs bundling unrelated collection additions alongside a focused infrastructure change would benefit from an "Additional Changes" section in the description.

Action Items

1. Fix header order in scripts/tests/linting/Schemas-RemovedMaturity.Tests.ps1 (see inline comment). This is the only actionable finding; everything else is informational.

Generated by PR Review for issue #1444 · ● 2.1M

Advisory review — this PR is from a maintainer. Findings are informational only.

Overview

This PR cleanly implements the removed maturity tier and retires owasp-docker from all distribution surfaces. The design decision to make removed a collection-manifest-only marker (rather than a per-artifact frontmatter field) is well-reasoned and consistently applied across schema validation, plugin generation, extension packaging, and the hve-core-all aggregation step. Test coverage is thorough, the regression guard in Test-RemovedMaturityExclusion.Tests.ps1 is a solid safety net, and the rai-risk-classification distribution additions are a clean, self-contained addition.

Issue Alignment ✅

PR fully addresses #1442:

• removed tier added to both schema enums (collection-level and item-level).
• owasp-docker retired from security, hve-core-all, all plugin outputs, agent narratives, and prompts.
• Auto-generator cannot re-introduce the skill via Update-HveCoreAllCollection.
• SKILL.md carries a YAML comment documenting the CC-BY-NC-SA-4.0 incompatibility rationale.

⚠️ Design deviation from issue scope table: The issue proposed adding Get-ArtifactSourceMaturity and Test-ArtifactRemoved as named functions in CollectionHelpers.psm1. The PR instead inlines the propagation logic directly in Update-HveCoreAllCollection. This is a valid trade-off — the end-to-end regression test compensates for the lack of unit-testable named functions — but worth noting in case reviewers expected those symbols to exist.

PR Template Compliance ✅

All required sections are filled. Checked types (New feature, Breaking change, Documentation update, AI Artifacts) match the actual diff. The explicit note on validate:skills being pre-existing and unrelated is well-documented.

Coding Standards

⚠️ Test header ordering — Schemas-RemovedMaturity.Tests.ps1

See inline comment at line 1. #Requires -Modules Pester must precede the copyright block in test files. This is the only test file in the PR with the wrong ordering.

💡 Stale docstring — Update-HveCoreAllCollection

.SYNOPSIS still reads "Auto-updates hve-core-all.collection.yml with all non-deprecated artifacts" and .DESCRIPTION still says "excludes deprecated items". Now that removed items are also excluded, both should say "non-deprecated, non-removed" (or similar). Not a blocking issue, but the docstring will mislead the next reader.

.SYNOPSIS
    Auto-updates hve-core-all.collection.yml with all active (non-deprecated, non-removed) artifacts.

.DESCRIPTION
    Discovers all artifacts from .github/ directories, excludes deprecated and removed items,
    and rewrites the hve-core-all collection manifest. ...

💡 $maturityRank missing experimental — undocumented intent

See inline comment at line 513 of CollectionHelpers.psm1. The omission is functionally correct but would benefit from a single-line comment explaining that it's intentional.

Code Quality ✅

No bugs, security issues, or performance concerns found. The strictest-maturity-wins algorithm is correct. The $sharedSubdomainFolders hashtable in Validate-Collections.ps1 is a clean generalisation of the previous single-string guard.

Action Items

Generated by PR Review for issue #1444 · ● 3.3M