feat: add OSS Security Forensics skill (Skills Hub) (#1482)
* feat: add OSS Security Forensics skill (Skills Hub)
Salvaged from PR #1066 by zagiscoming. Adds a 7-phase multi-agent
investigation framework for GitHub supply chain attack forensics.
Skill contents (optional-skills/security/oss-forensics/):
- SKILL.md: 420-line investigation framework with 8 anti-hallucination
guardrails, 5 specialist investigators, ethical use guidelines,
and API rate limiting guidance
- evidence-store.py: CLI evidence manager with add/list/verify/query/
export/summary + SHA-256 integrity + chain of custody
- references/: evidence types, GH Archive BigQuery guide (expanded with
12 event types and 6 query templates), recovery techniques (4 methods),
investigation templates (5 attack patterns)
- templates/: forensic report template (151 lines), malicious package
report template
Changes from original PR:
- Dropped unrelated core tool changes (delegate_tool.py role parameter,
AGENTS.md, README.md modifications)
- Removed duplicate skills/security/oss-forensics/ placement
- Fixed github-archive-guide.md (missing from optional-skills/, expanded
from 33 to 160+ lines with all 12 event types and query templates)
- Added ethical use guidelines and API rate limiting sections
- Rewrote tests to match the v2 evidence store API (12 tests, all pass)
Closes #384
* fix: use python3 and SKILL_DIR paths throughout oss-forensics skill
- Replace all 'python' invocations with 'python3' for portability
(Ubuntu doesn't ship 'python' by default)
- Replace relative '../scripts/' and '../templates/' paths with
SKILL_DIR/scripts/ and SKILL_DIR/templates/ convention
- Add path convention note before Phase 0 explaining SKILL_DIR
- Fix double --- separator (cosmetic)
- Applies to SKILL.md, evidence-store.py docstring,
recovery-techniques.md, and forensic-report.md template
---------
Co-authored-by: zagiscoming <zagiscoming@users.noreply.github.com>
c30505dddd