This repository is a portfolio space for scientific-computing infrastructure, systems tooling, and supply-chain-security experiments that favor deterministic behavior, auditable outputs, and clear release evidence.
tools/sbom-diff-and-risk is the
current flagship tool. It compares SBOMs and dependency manifests, produces
JSON, Markdown, and SARIF review artifacts, supports local policy checks, and
can optionally record PyPI provenance and OpenSSF Scorecard evidence.
For the clearest reviewer route, start with the
sbom-diff-and-risk reviewer path;
it separates orientation, artifact inspection, local reproduction, and release
evidence.
projects/precipitation-anomaly-diagnostics
is the compact reviewer-facing mini-lab. It demonstrates a reproducible workflow
for precipitation anomaly preprocessing, EOF analysis, representative-period
selection, composite analysis, and reviewer-friendly scientific interpretation.
projects/precipitation-anomaly-diagnostics-lab
is the extended lab variant with configurable diagnostics utilities. It expands
the workflow with EOF/PC analysis, composite circulation checks,
correlation/regression utilities, MCA-style coupled-field diagnostics, synthetic
demonstration charts, and explicit data-redistribution boundaries.
sbom-diff-and-risk remains the flagship release-facing tool in this repository.
The precipitation diagnostics projects are supporting scientific-data mini-labs.
They demonstrate reproducible analysis workflows, data-policy boundaries, and
reviewer-friendly interpretation, but they are not part of the
sbom-diff-and-risk release surface and should not be read as a separate
meteorology portfolio.
Scientific and security-oriented engineering often needs small, inspectable tools that make evidence easier to review. This repository collects projects that emphasize:
- deterministic local analysis
- machine-readable security and review output
- conservative policy checks
- explicit provenance and release verification boundaries
- documentation that separates tool behavior from distribution evidence
Project:
sbom-diff-and-risk
Status:
Released at v0.9.0.
What to review: Deterministic SBOM/dependency diffing, JSON/Markdown/SARIF output, local policy checks, policy decision explainability, optional provenance and Scorecard evidence.
Useful entry points:
sbom-diff-and-riskREADME- Reviewer path
- Reviewer brief
- Reviewer evidence pack
- v0.9.0 release notes
- Examples
Project:
precipitation-anomaly-diagnostics
Status: Public-safe compact reviewer-facing mini-lab.
What to review: Sanitized climate-diagnostics workflow, small derived example artifacts, methodology notes, data policy, and synthetic-data tests.
This mini-lab is a supporting scientific-data project and is not part of the
sbom-diff-and-risk release surface.
Useful entry points:
Project:
precipitation-anomaly-diagnostics-lab
Status: Public-safe extended lab variant with configurable diagnostics utilities.
What to review: Detailed calculation methods, inference boundaries, configurable analysis scripts, synthetic chart generation, and a synthetic inference report.
This extended lab is a supporting scientific-data project and is not part of
the sbom-diff-and-risk release surface.
Useful entry points:
precipitation-anomaly-diagnostics-labREADME- Calculation methods
- Inference analysis
- Synthetic inference report
sbom-diff-and-risk has separate verification surfaces. They are related, but
they do not prove the same thing.
- Tool verification guide:
docs/verification.md - GitHub Release asset verification:
docs/release-provenance.md - TestPyPI Trusted Publishing dry-run:
docs/pypi-trusted-publishing-readiness.md - Production PyPI decision gate:
docs/pypi-production-publishing-decision.md
The TestPyPI Trusted Publishing dry-run has been validated. Production PyPI publishing is intentionally deferred.
- It does not claim that
sbom-diff-and-riskis a vulnerability scanner. - It does not claim to resolve CVEs, advisories, exploitability, or package safety verdicts.
- It does not treat optional provenance or Scorecard evidence as proof that a dependency is safe.
- It does not imply that production PyPI publishing is enabled.
- It does not treat GitHub release verification, GitHub workflow artifact attestations, and PyPI Trusted Publishing provenance as interchangeable evidence.
For sbom-diff-and-risk, use the
reviewer path and first choose
the review question:
- 30 seconds: read the reviewer brief.
- 5 minutes: inspect sample JSON, summary, policy, Markdown, and SARIF artifacts.
- 15 minutes: run the deterministic example check in example artifact regeneration.
- Release evidence: use the verification guide and release provenance docs.
- Current flagship release:
sbom-diff-and-riskv0.9.0 - GitHub Release assets: available for
v0.9.0 - TestPyPI Trusted Publishing dry-run: completed
- Production PyPI publishing: intentionally deferred