[codex] Sync docs after sbom-diff-and-risk v0.6.0 release

README.md

@@ -22,14 +22,14 @@ Scientific and security-oriented engineering often needs small, inspectable tool
 
 | Project | Status | What to review |
 | --- | --- | --- |
-| [`sbom-diff-and-risk`](tools/sbom-diff-and-risk/README.md) | Released at `v0.5.0` | Deterministic SBOM/dependency diffing, JSON/Markdown/SARIF output, local policy checks, optional provenance and Scorecard evidence. |
+| [`sbom-diff-and-risk`](tools/sbom-diff-and-risk/README.md) | Released at `v0.6.0` | Deterministic SBOM/dependency diffing, JSON/Markdown/SARIF output, local policy checks, optional provenance and Scorecard evidence. |
 
 Useful entry points:
 
 - [`sbom-diff-and-risk` README](tools/sbom-diff-and-risk/README.md)
 - [Reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md)
 - [Reviewer evidence pack](tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md)
-- [v0.5.0 release notes](tools/sbom-diff-and-risk/RELEASE_NOTES_v0.5.0.md)
+- [v0.6.0 release notes](tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md)
 - [Examples](tools/sbom-diff-and-risk/examples/)
 
 ## Verification And Release Evidence
@@ -57,14 +57,14 @@ The TestPyPI Trusted Publishing dry-run has been validated. Production PyPI publ
 
 1. Read the [`sbom-diff-and-risk` reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md).
 2. Skim the [`sbom-diff-and-risk` README](tools/sbom-diff-and-risk/README.md) for CLI scope and examples.
-3. Check the [v0.5.0 release notes](tools/sbom-diff-and-risk/RELEASE_NOTES_v0.5.0.md).
+3. Check the [v0.6.0 release notes](tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md).
 4. Use the [verification guide](tools/sbom-diff-and-risk/docs/verification.md) to choose the right provenance check.
 5. Inspect the [examples](tools/sbom-diff-and-risk/examples/) for sample reports and policy files.
 
 ## Status
 
-- Current flagship release: `sbom-diff-and-risk` `v0.5.0`
-- GitHub Release assets: available for `v0.5.0`
+- Current flagship release: `sbom-diff-and-risk` `v0.6.0`
+- GitHub Release assets: available for `v0.6.0`
 - TestPyPI Trusted Publishing dry-run: completed
 - Production PyPI publishing: intentionally deferred
 

tools/sbom-diff-and-risk/docs/reviewer-brief.md

@@ -2,7 +2,9 @@
 
 ## Summary
 
-`sbom-diff-and-risk` is a local CLI for comparing two SBOMs or dependency manifests and producing deterministic review artifacts: JSON, Markdown, and SARIF. It is built for conservative supply-chain review, not for vulnerability scanning or package reputation scoring.
+`sbom-diff-and-risk` is a local CLI for comparing two SBOMs or dependency manifests and producing deterministic review artifacts: JSON, Markdown, and SARIF. It is built for conservative supply-chain review, not for vulnerability scanning or package reputation scoring.
+
+Current released version: `v0.6.0`.
 
 ## Why this project matters
 

tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md

@@ -4,7 +4,9 @@ This page is a reproducible evidence checklist for reviewing `sbom-diff-and-risk
 
 ## Project Identity
 
-`sbom-diff-and-risk` is a local-first deterministic CLI for comparing SBOMs and dependency manifests. It is designed to produce stable review evidence for dependency changes.
+`sbom-diff-and-risk` is a local-first deterministic CLI for comparing SBOMs and dependency manifests. It is designed to produce stable review evidence for dependency changes.
+
+Current released version: `v0.6.0`.
 
 Core identity:
 
@@ -70,18 +72,19 @@ For consumers of the JSON output, see [report-schema.md](report-schema.md). It d
 
 ## Release Verification Path
 
-Start with the GitHub Release for the version under review. For `v0.5.0`, inspect the release and assets:
-
-```powershell
-gh release view v0.5.0 --repo stacknil/scientific-computing-toolkit --json tagName,name,isDraft,isPrerelease,assets,url
-```
-
+Start with the GitHub Release for the version under review. For `v0.6.0`, inspect the release and assets:
+
+```powershell
+gh release view v0.6.0 --repo stacknil/scientific-computing-toolkit --json tagName,name,isDraft,isPrerelease,assets,url
+```
+
 Expected release assets:
 
-- `sbom_diff_and_risk-0.5.0-py3-none-any.whl`
-- `sbom_diff_and_risk-0.5.0.tar.gz`
+- `sbom_diff_and_risk-0.6.0-py3-none-any.whl`
+- `sbom_diff_and_risk-0.6.0.tar.gz`
+- `sbom-diff-and-risk-SHA256SUMS.txt`
 
-Releases produced after the checksum-manifest workflow update also include `sbom-diff-and-risk-SHA256SUMS.txt`. Use it to check local downloaded distribution bytes before or alongside provenance verification:
+The checksum manifest checks local downloaded distribution bytes before or alongside provenance verification:
 
 ```powershell
 gh release download <tag> `
@@ -105,28 +108,28 @@ Checksum verification confirms local byte integrity against the release manifest
 For workflow-built artifacts downloaded from a trusted workflow run, verify artifact attestations with the signer workflow:
 
 ```powershell
-gh attestation verify path/to/sbom_diff_and_risk-0.5.0-py3-none-any.whl `
+gh attestation verify path/to/sbom_diff_and_risk-0.6.0-py3-none-any.whl `
   --repo stacknil/scientific-computing-toolkit `
   --signer-workflow stacknil/scientific-computing-toolkit/.github/workflows/sbom-diff-and-risk-ci.yml
 ```
 
 ```powershell
-gh attestation verify path/to/sbom_diff_and_risk-0.5.0.tar.gz `
+gh attestation verify path/to/sbom_diff_and_risk-0.6.0.tar.gz `
   --repo stacknil/scientific-computing-toolkit `
   --signer-workflow stacknil/scientific-computing-toolkit/.github/workflows/sbom-diff-and-risk-ci.yml
 ```
 
 `gh release verify` and `gh release verify-asset` are conditional on immutable releases. Use them only when the repository release is immutable and GitHub has generated release attestations:
 
 ```powershell
-gh release view v0.5.0 --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url
+gh release view v0.6.0 --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url
 ```
 
 If `isImmutable` is true, release verification can check the release record and downloaded release assets:
 
 ```powershell
-gh release verify v0.5.0 --repo stacknil/scientific-computing-toolkit
-gh release verify-asset v0.5.0 path/to/sbom_diff_and_risk-0.5.0-py3-none-any.whl --repo stacknil/scientific-computing-toolkit
+gh release verify v0.6.0 --repo stacknil/scientific-computing-toolkit
+gh release verify-asset v0.6.0 path/to/sbom_diff_and_risk-0.6.0-py3-none-any.whl --repo stacknil/scientific-computing-toolkit
 ```
 
 If `isImmutable` is false, use the workflow artifact attestation path as the primary artifact verification story.