Skip to content

Standards licensing compliance remediation for security instructions and skills #1295

Open
Task
#1294
Open
Standards licensing compliance remediation for security instructions and skills#1295
Task
#1294
Labels
complianceLicensing, attribution, and regulatory compliancedocumentationImprovements or additions to documentationlicensingLicense declarations, attribution, and third-party noticesmaintenanceMaintenance work, no version bump
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Apr 3, 2026

Summary

Remediate standards licensing compliance across security instructions and skill packages in hve-core. The repository includes content derived from external standards (OWASP, CIS, NIST, OSSF) that requires proper attribution, license declarations, and redistribution compliance.

Problem

  1. CIS Controls v8.1 content embedded in standards-mapping.instructions.md — CIS licensing prohibits redistribution of their controls content, but the file contained embedded CIS mappings.
  2. OWASP skills declared license: MIT — Three OWASP-derived skills (owasp-agentic, owasp-llm, owasp-top-10) contain content licensed under CC BY-SA 4.0, but their frontmatter declared MIT. The 33 OWASP vulnerability reference files lacked CC BY-SA 4.0 attribution footers.
  3. Missing THIRD-PARTY-NOTICES — No centralized third-party attribution file existed for the repository.
  4. Incomplete skill metadata — Skills lacked license, metadata, and compatibility fields in frontmatter, preventing automated license detection.
  5. Contributing docs gaps — The skills contributing guide did not document the new metadata fields or the compatibility field in the schema.

Acceptance Criteria

  • CIS Controls content removed and replaced with runtime Researcher Subagent delegation
  • OWASP skills declare license: CC-BY-SA-4.0 with attribution blocks in SKILL.md
  • All 33 OWASP reference files include CC BY-SA 4.0 footers
  • Non-OWASP skills declare license: MIT
  • THIRD-PARTY-NOTICES file created covering all external sources
  • README.md includes a Licensing subsection explaining the dual-license model
  • All 12 skills include license and metadata fields in frontmatter
  • compatibility field added to skill schema and documented
  • docs/contributing/skills.md documents new fields
  • npm run validate:skills passes (12/12)
  • npm run lint:frontmatter passes
  • Plugins regenerated to reflect CIS reclassification

Implementation

Addressed in PR #1294 across 4 commits and 56 changed files.

Metadata

Metadata

Assignees

No one assigned

    Labels

    complianceLicensing, attribution, and regulatory compliancedocumentationImprovements or additions to documentationlicensingLicense declarations, attribution, and third-party noticesmaintenanceMaintenance work, no version bump

    Type

    Task

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions