chore(security): end-to-end validation of security collection MVP

[katriendg]

Summary

Validate the complete MVP security collection after all artifacts are in place. Run all linting, validation, and plugin generation to confirm no breakage. Perform a manual test of agent invocation to verify the orchestration flow works end-to-end.

Acceptance Criteria

• npm run plugin:generate completes successfully
• npm run plugin:validate passes
• npm run validate:skills passes for all 3 new skills
• npm run lint:all passes with no regressions
• npm run lint:frontmatter passes for all new/modified files
• No references to security-planning remain in the codebase
• Manual verification: invoking /security-review triggers the Security Reviewer agent
• Manual verification: agent produces output in .copilot-tracking/security/ with correct report structure
• All new files follow hve-core conventions:
  • Descriptions end with - Brought to you by microsoft/hve-core
  • Skill directory names match frontmatter name field
• Collection marked as experimental maturity

Validation Commands

npm run plugin:generate
npm run plugin:validate
npm run validate:skills
npm run lint:all
npm run lint:frontmatter
npm run lint:collections-metadata

# Verify no stale references
grep -r "security-planning" --include="*.yml" --include="*.md" --include="*.json" .

Manual Test Plan

1. Open VS Code with hve-core workspace
2. Invoke /security-review from prompt picker
3. Verify agent classifies the codebase (should detect agentic patterns)
4. Verify agent delegates to skills via subagent
5. Verify report written to .copilot-tracking/security/{date}/
6. Verify report contains CAUTION disclaimer, summary counts, and findings

Dependencies

Depends on all prior issues: #792, #793, #794, #795, #796, #797, #799.

[katriendg]

This has been implemented and validated after PR #1118