Remove external receipt helper from security review skill

Author: romgenie

.env.example

@@ -13,13 +13,13 @@ Part of the CompleteTech LLC agentic services skill library. This skill creates
 ## OpenClaw / ClawHub Metadata
 
 - Skill key: `agentic-security-review-skill`
-- Version-ready metadata: `1.0.0`
+- Version-ready metadata: `1.0.2`
 - Homepage: https://github.com/CompleteTech-LLC/agentic-security-review-skill
 - README: https://github.com/CompleteTech-LLC/agentic-security-review-skill#readme
 - Runtime binaries: `python3`
 - Python packages: `reportlab>=4.0` (optional PNG preview: `pypdfium2`, `pillow`)
 - Intended registry/discovery tags: `latest`, `complete-tech`, `codex-skill`, `agentic-development`, `agentic-workflows`, `security-review`, `permissions`, `launch-readiness`, `pdf`, `pdf-generator`
-- License: repository code, templates, and documentation use MIT; ClawHub publishing is intentionally skipped for now.
+- License: repository code, templates, and documentation use MIT; ClawHub-published skill text is distributed under ClawHub terms.
 - Brand assets: CompleteTech LLC names, logos, seals, and brand assets are reserved; see `BRAND_ASSETS.md`.
 
 ## Workflow Diagram
@@ -108,29 +108,6 @@ Use a direct, concrete, low-hype tone. Present security review as practical risk
 
 Code, templates, and documentation are licensed under the MIT License. CompleteTech LLC names, logos, seals, and brand assets are reserved and are not licensed for reuse except to identify this project. See `LICENSE` and `BRAND_ASSETS.md`.
 
-## Certificate Receipts
+## Network Boundary
 
-This skill can run normally without a classroom key. For certificate credit, run the skill workflow first, then request a one-time receipt from `cert.complete.tech`:
-
-```bash
-python scripts/request_receipt.py \
-  --class-id "cls_agentic_security_review_skill" \
-  --session-id "ses_YYYYMMDD_agentic_security_review_skill" \
-  --completion-key "$CT_CERT_COMPLETION_KEY"
-```
-
-The helper sends `class_id`, `session_id`, `completion_key`, `skill_id`, `skill_version`, a generated `run_id`, optional artifact hash, and metadata to `https://cert.complete.tech/api/skill-runs`. It prints the receipt code and writes a receipt JSON file. Students use the receipt code at `https://cert.complete.tech/claim`. Do not commit real completion keys.
-
-If the skill produced a file, include it so the receipt records an artifact hash:
-
-```bash
-python scripts/request_receipt.py --artifact output/example.pdf
-```
-
-### Receipt Tests
-
-```bash
-python tests/test_receipt_cli.py
-```
-
-The test uses a local fake receipt API and does not require live keys or the live `cert.complete.tech` endpoint.
+This skill is local-only. It does not include outbound network helpers, callbacks, or any helper that posts security-review run metadata to an external service.

README.md

@@ -2,7 +2,7 @@
 name: agentic-security-review-skill
 description: >-
   Create CompleteTech LLC security, safety, permissions, and production-readiness review artifacts for agentic development workflows, including risk intake, tool permissions, secrets handling, data exposure, prompt-injection testing, retrieval trust, approval gates, external actions, audit logging, model/provider configuration, retention, dependency risk, least privilege, launch blockers, rollback, incident response, escalation, red-team results, and security signoff. Use before production launch or whenever tools, data, credentials, integrations, retrieval sources, or external actions change.
-version: 1.0.1
+version: 1.0.2
 metadata:
   openclaw:
     skillKey: agentic-security-review-skill
@@ -106,10 +106,6 @@ python3 scripts/render_security_review.py --template security-signoff-memo \
 - Already drafted the Markdown yourself? Render it directly: `python3 scripts/render_pdf.py --markdown artifact.md --out artifact.pdf --logo assets/logo.png --title "..."`.
 - The PDF supports a Markdown subset: `#`/`##`/`###` headings, paragraphs, `-` bullets, tables, `>` callouts, `**bold**`, and `[PAGE_BREAK]`. PDF requires `reportlab`; the optional `--png` preview requires `pypdfium2` and `pillow`. See `assets/examples/` for a rendered example.
 
-## Certificate Receipt Guidance
+## Network Boundary
 
-The skill remains usable without a classroom key. When certificate credit is needed, use `scripts/request_receipt.py` after the skill run. The shared class key is provided through `CT_CERT_COMPLETION_KEY`, `--completion-key`, or a registry profile; the website claim form receives only the generated receipt code.
-
-Receipt requests include this skill ID: `agentic-security-review-skill`. The helper sends class/session IDs, the shared key, skill version, generated run ID, optional artifact hash, and metadata to `https://cert.complete.tech/api/skill-runs`. The student claims the certificate at `https://cert.complete.tech/claim` with the returned receipt.
-
-Do not print, store, or commit real classroom completion keys.
+This skill is local-only. It does not include outbound network helpers, callbacks, or any helper that posts security-review run metadata to an external service.

SKILL.md

@@ -4,4 +4,4 @@ interface:
   default_prompt: "Use $agentic-security-review-skill to choose and draft the right security review artifact for an agentic development workflow."
 
 policy:
-  allow_implicit_invocation: true
+  allow_implicit_invocation: false

agents/openai.yaml

@@ -91,8 +91,6 @@ def parse_structured_files() -> None:
 def mermaid_command() -> list[str] | None:
     if shutil.which("mmdc"):
         return ["mmdc"]
-    if shutil.which("npx"):
-        return ["npx", "--yes", "@mermaid-js/mermaid-cli"]
     return None
 
 
@@ -103,7 +101,7 @@ def validate_mermaid(skip: bool) -> None:
         return
     cmd = mermaid_command()
     if skip or cmd is None:
-        reason = "requested" if skip else "mmdc/npx not available"
+        reason = "requested" if skip else "mmdc not available"
         print(f"mermaid skipped: {reason}")
         return
     with tempfile.TemporaryDirectory(prefix="skill-mermaid-") as tmp:
@@ -114,21 +112,7 @@ def validate_mermaid(skip: bool) -> None:
 
 
 def smoke_generators() -> None:
-    generator_commands = {
-        "generate_certificate.py": ["--config", "config.ini", "examples/northwind_workshop.ini", "--out", "{tmp}/certificate.pdf"],
-        "generate_contract.py": [
-            "--config", "config.ini", "examples/northwind_support_triage.ini", "--out", "{tmp}/contract.pdf",
-            "--markdown-out", "{tmp}/contract.md", "--no-envelope",
-        ],
-        "generate_envelope.py": ["--config", "config.ini", "examples/northwind_address.ini", "--out", "{tmp}/envelope.pdf"],
-    }
-    with tempfile.TemporaryDirectory(prefix="skill-generator-") as tmp:
-        for path in sorted(ROOT.glob("generate_*.py")):
-            run([sys.executable, str(path), "--help"])
-            args = generator_commands.get(path.name)
-            if args:
-                run([sys.executable, str(path), *[arg.format(tmp=tmp) for arg in args]])
-    print("generator smoke ok")
+    print("generator smoke skipped: security review skill has no generate_*.py entry points")
 
 
 def smoke_catalog_renderers() -> None:
@@ -142,9 +126,8 @@ def smoke_catalog_renderers() -> None:
         templates = json.loads(index_path.read_text(encoding="utf-8")).get("templates", [])
         if templates:
             first_template = templates[0].get("id")
-    for path in sorted(scripts_dir.glob("render_*.py")):
-        if path.name == "render_pdf.py":
-            continue
+    path = scripts_dir / "render_security_review.py"
+    if path.exists():
         run([sys.executable, str(path), "--list"])
         if first_template:
             run([sys.executable, str(path), "--template", first_template, "--var", "smoke=value", "--no-pdf"])
@@ -158,10 +141,7 @@ def run_pyright() -> None:
     if shutil.which("pyright"):
         run(["pyright"])
         return
-    if shutil.which("npx"):
-        run(["npx", "--yes", "pyright"])
-        return
-    raise RuntimeError("pyrightconfig.json exists, but pyright/npx is unavailable")
+    raise RuntimeError("pyrightconfig.json exists, but pyright is unavailable")
 
 
 def frontmatter() -> dict[str, Any]: