stacknil · stacknil · May 1, 2026 · May 1, 2026
diff --git a/tools/sbom-diff-and-risk/README.md b/tools/sbom-diff-and-risk/README.md
@@ -1,6 +1,6 @@
 # sbom-diff-and-risk
 
-v0.5.1 is a release-only maintenance update for the GitHub Release checksum manifest path. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
+v0.6.0 is the machine-readable report consumption release. It documents the stable JSON `summary` contract, adds report schema guidance, and includes optional `--summary-json PATH` output for consumers that only need `report.json["summary"]`. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
 
 `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
 

diff --git a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md
@@ -1,12 +1,12 @@
-# sbom-diff-and-risk v0.6.0 draft release notes
+# sbom-diff-and-risk v0.6.0
 
-These are draft release notes for the planned `v0.6.0` release. This PR does not tag or publish `v0.6.0`, does not create a GitHub Release, and does not publish to PyPI or TestPyPI.
+`v0.6.0` is the machine-readable report consumption and summary-output usability release.
 
 ## Theme
 
 Machine-readable report consumption and summary-output usability.
 
-`v0.6.0` focuses on making the existing JSON report easier to consume from automation without changing the core dependency diff model, Markdown output, SARIF output, workflows, package version, or publishing status.
+`v0.6.0` focuses on making the existing JSON report easier to consume from automation without changing the core dependency diff model, Markdown output, SARIF output, workflows, or publishing status.
 
 ## Highlights
 
@@ -52,19 +52,18 @@ These surfaces remain distinct: GitHub workflow artifact attestations, GitHub Re
 
 ## Distribution status
 
-- Latest GitHub Release remains `v0.5.1` until a future release PR creates the `v0.6.0` tag and release.
-- This PR does not tag or publish `v0.6.0`.
-- This PR does not create a GitHub Release.
-- This PR does not publish to TestPyPI.
-- This PR does not publish to production PyPI.
+- The `v0.6.0` GitHub Release is expected to be created from the tag-gated release workflow.
+- Release assets are expected to include the wheel, source distribution, and `sbom-diff-and-risk-SHA256SUMS.txt`.
+- TestPyPI Trusted Publishing dry-run validation remains documented as pre-production evidence.
+- This release does not publish to TestPyPI.
+- This release does not publish to production PyPI.
 - Production PyPI remains intentionally deferred.
 
 ## Not in this release
 
 - No Markdown output behavior changed.
 - No SARIF behavior changed.
 - No workflow behavior changed.
-- No package version bump is included in this draft-notes PR.
 - No production PyPI workflow is added.
 - No hidden network behavior was added.
 - No CVE lookup or CVE resolution was added.

diff --git a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.5.1",
-          "semanticVersion": "0.5.1",
+          "version": "0.6.0",
+          "semanticVersion": "0.6.0",
           "rules": [
             {
               "id": "sdr.policy_violation.provenance_required",

diff --git a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.5.1",
-          "semanticVersion": "0.5.1",
+          "version": "0.6.0",
+          "semanticVersion": "0.6.0",
           "rules": [
             {
               "id": "sdr.major_upgrade",

diff --git a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.5.1",
-          "semanticVersion": "0.5.1",
+          "version": "0.6.0",
+          "semanticVersion": "0.6.0",
           "rules": [
             {
               "id": "sdr.policy_violation.scorecard_below_threshold",

diff --git a/tools/sbom-diff-and-risk/pyproject.toml b/tools/sbom-diff-and-risk/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "sbom-diff-and-risk"
-version = "0.5.1"
+version = "0.6.0"
 description = "Deterministic SBOM diff CLI with heuristic risk reporting."
 readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" }
 requires-python = ">=3.11"

diff --git a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py
@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.5.1"
+__version__ = "0.6.0"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@

		__all__ = ["__version__"]

		__version__ = "0.5.1"
		__version__ = "0.6.0"