You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Surfaces the existing risk classification + capability summary as a compact,
machine-readable badge set a registry can render per package — the §20.1-F item.
- PackageReview gains `badges: Vec<String>` derived from `risk` + the review
summary: `risk:<level>`, plus `native`, `unsafe`, `async`, `parallel`,
`unknown-capability`, `has-errors`. Pure restatement of existing review
evidence (no new analysis), so badges never disagree with risk/summary.
- The registry index entry (rss.registry.index.v1) carries the subset derivable
from its own authoritative fields (`risk:<level>`, `native`, `unsafe`), kept
consistent with the entry's risk/native/unsafe_apis.
- Risk-label formatting shared via package_risk_label (no duplication).
Tested on the s3-iam native package (risk:unknown + native + unknown-capability).
Documented in package-manager §18.3 and spec §20.1-F. Remaining (out of repo):
rendering badges in a registry UI.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0 commit comments