[codex] Add reviewer evidence pack

[stacknil]

Summary

Adds a reviewer evidence pack for sbom-diff-and-risk as v0.6 / PR1 documentation.

The evidence pack gives reviewers a reproducible path through demo commands, expected outputs, release verification, TestPyPI evidence, SARIF/code-scanning evidence, and explicit non-claims.

Scope

• Adds tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md.
• Links it from the root README, the tool README, and the reviewer brief.
• Keeps CLI behavior, package metadata, workflows, release tags, and publishing policy unchanged.

Validation

• git diff --check
• Confirmed relative Markdown links in touched files resolve.
• Confirmed .github/workflows/ still has no production PyPI workflow.
• Confirmed package version remains 0.5.0.
• No Python tests were run because this is docs-only.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e9910752d6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use LF endings for modified Markdown files

This commit rewrites README.md (and also tools/sbom-diff-and-risk/docs/reviewer-brief.md) with CRLF line endings, which makes git diff --check report trailing whitespace on nearly every touched line (exit code 2). That introduces avoidable whitespace-check failures and noisy future diffs/merges; these docs should be saved with LF endings to keep the repo’s diff hygiene intact.

Useful? React with 👍 / 👎.