Review target
Add one compact synthetic before/after pair that clarifies an existing risk-model boundary.
Good candidates:
- an unclassified version change,
- missing or
NOASSERTION license metadata,
- a suspicious local source path,
- a component change that should not create a hidden risk bucket.
Expected contribution
Include generated JSON/Markdown expectations, a focused test, and one sentence explaining what the artifact does not prove.
Done when
Example regeneration remains deterministic and the reviewer-route contract passes.
Boundaries
Use synthetic package names and public-safe metadata only. Do not imply vulnerability, malware, exploitability, or package safety.
Review target
Add one compact synthetic before/after pair that clarifies an existing risk-model boundary.
Good candidates:
NOASSERTIONlicense metadata,Expected contribution
Include generated JSON/Markdown expectations, a focused test, and one sentence explaining what the artifact does not prove.
Done when
Example regeneration remains deterministic and the reviewer-route contract passes.
Boundaries
Use synthetic package names and public-safe metadata only. Do not imply vulnerability, malware, exploitability, or package safety.