[codex] Release sbom-diff-and-risk v0.9.0

tools/sbom-diff-and-risk/README.md

@@ -1,11 +1,10 @@
 # sbom-diff-and-risk
 
-v0.8.0 is the policy decision explainability release. It adds stable
-machine-readable explanation fields for JSON policy findings and reviewer
-documentation for interpreting local policy decisions. It keeps CLI analysis
-behavior unchanged, keeps dependency analysis local and deterministic by
-default, preserves the completed TestPyPI dry-run story, and keeps production
-PyPI publishing intentionally deferred.
+v0.9.0 is the policy JSON sidecar and consumer integration usability release.
+It adds optional `--policy-json PATH` output, checked-in policy sidecar
+examples, and copyable GitHub Actions consumer guidance. It keeps dependency
+analysis local and deterministic by default, preserves the completed TestPyPI
+dry-run story, and keeps production PyPI publishing intentionally deferred.
 
 `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
 

tools/sbom-diff-and-risk/RELEASE_NOTES_v0.9.0.md

@@ -101,6 +101,6 @@ does not change this repository's GitHub Actions configuration.
 - No production PyPI publishing.
 - No production PyPI workflow.
 
-This PR only drafts release notes. It does not bump package version, create a
-tag, create a GitHub Release, publish to PyPI/TestPyPI, or change runtime
-behavior.
+The v0.9.0 release is prepared for the tag-gated GitHub Release workflow. It
+does not publish to PyPI/TestPyPI and keeps production PyPI intentionally
+deferred.

tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.8.0",
-          "semanticVersion": "0.8.0",
+          "version": "0.9.0",
+          "semanticVersion": "0.9.0",
           "rules": [
             {
               "id": "sdr.policy_violation.provenance_required",

tools/sbom-diff-and-risk/examples/sample-sarif.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.8.0",
-          "semanticVersion": "0.8.0",
+          "version": "0.9.0",
+          "semanticVersion": "0.9.0",
           "rules": [
             {
               "id": "sdr.major_upgrade",

tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.8.0",
-          "semanticVersion": "0.8.0",
+          "version": "0.9.0",
+          "semanticVersion": "0.9.0",
           "rules": [
             {
               "id": "sdr.policy_violation.scorecard_below_threshold",

tools/sbom-diff-and-risk/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "sbom-diff-and-risk"
-version = "0.8.0"
+version = "0.9.0"
 description = "Deterministic SBOM diff CLI with heuristic risk reporting."
 readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" }
 requires-python = ">=3.11"

tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py

@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.8.0"
+__version__ = "0.9.0"