File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -43,6 +43,7 @@ model never infers.
4343
4444For a short external case study, read
4545[ SBOM Diff as a Bounded Policy Review Artifact] ( tools/sbom-diff-and-risk/docs/case-study-bounded-policy-review.md ) .
46+ For near-term flagship review boundaries, see [ ` ROADMAP.md ` ] ( ROADMAP.md ) .
4647
4748## Supporting Diagnostics Projects
4849
Original file line number Diff line number Diff line change 1+ # Roadmap
2+
3+ The repository's current flagship surface is ` sbom-diff-and-risk ` . The
4+ near-term focus is to stabilize reviewer paths, release evidence, policy
5+ boundaries, and deterministic examples rather than expand the project count.
6+
7+ ## External Review Surface
8+
9+ Open review issues should be sparse and grounded in checked-in examples. A
10+ useful issue names the sample input, expected JSON/Markdown/SARIF output, and
11+ acceptance criteria for a bounded artifact or policy-contract review.
12+
13+ The current public review entry is intentionally narrow: trace one
14+ requirements-file dependency change through the generated report and confirm
15+ that local risk buckets remain policy-review evidence rather than package
16+ safety verdicts.
17+
18+ ## Parked Directions
19+
20+ - Parser-boundary fixtures, only when the before/after input and normalized
21+ component output are known up front.
22+ - No-network reproduction feedback, only when it names exact command output,
23+ link drift, or artifact-regeneration mismatch.
24+ - ` needs-review ` policy examples, only when the remaining human decision is
25+ explicit and separate from vulnerability or malware claims.
26+ - Additional dependency-pair examples, only when they clarify a distinct risk
27+ model boundary without adding live enrichment or safety verdicts.
You can’t perform that action at this time.
0 commit comments