Appendices

Status: outline only. Appendices ship in v1.0.0 (see project status).

• A. Tool landscape — deterministic-deps vs pin-github-action, StepSecurity, Renovate SHA mode, Scorecard’s pinned-dependencies check
• B. Fork hygiene — when and how to fork-and-trim a transitive dependency
• C. Migration playbook — introducing these patterns to a live repo without nuking dev velocity
• D. Reviewer’s rubric — one-page checklist for procurement and audit readers
• E. Verification cookbook — what to grep for, what artifacts to expect