Skip to content

use cautious language in security assessments to reduce legal risk and be fair to package authors#29

Merged
homanp merged 3 commits intomainfrom
legal-language-guidelines
Feb 4, 2026
Merged

use cautious language in security assessments to reduce legal risk and be fair to package authors#29
homanp merged 3 commits intomainfrom
legal-language-guidelines

Conversation

@alanzabihi
Copy link
Contributor

@alanzabihi alanzabihi commented Feb 4, 2026

Summary

When users run sus add, they see our risk assessments directly. These
same assessments are in the API and stored in the database. Automated
analysis can produce false positives - if we state "this package contains
a backdoor" and we're wrong, we could face legal action or unfairly
damage the author's reputation.

This adds language guidelines so assessments use phrases like "detected
patterns consistent with" instead of definitive claims.

Changes:

  • AGENTS.md at root: guidelines for agents writing copy, reports, or
    touching security language anywhere in the product
  • agentic.rs: scan prompts now instruct the model to use cautious
    descriptions
  • mod.rs: risk reason strings shown to users avoid accusatory language

CVE data from OSV/GitHub Advisory can still be stated as fact since we're
citing authoritative sources. The cautious language applies to our own
detected findings where false positives are possible.

Test plan

  • Existing tests pass (updated string assertions)
  • Run sus add on a flagged package, confirm output says "detected
    patterns consistent with X" not "X detected"

@alanzabihi alanzabihi requested a review from homanp February 4, 2026 21:23
homanp
homanp requested changes Feb 4, 2026
View reviewed changes
Copy link
Contributor

@homanp homanp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix comments.

@alanzabihi
simplify project overview in AGENTS.md
348e9dc 
Rewrote the overview to be direct and factual. Removed architecture
diagram and key files sections. Clarified that packages are pre-scanned
so there's no slowdown at install time.
@alanzabihi alanzabihi requested a review from homanp February 4, 2026 21:47
@homanp homanp merged commit fc7aa9b into main Feb 4, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@homanp homanp homanp approved these changes

Assignees

@alanzabihi alanzabihi

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alanzabihi @homanp