Appendix D — Reviewer's rubric

Status: placeholder. Ships in v1.0.0.

A one-page checklist for security reviewers and procurement teams evaluating an OSS project’s supply-chain posture. Each row maps to a pattern in Tiers 1–3 and includes the artifact to look for (lockfile presence, SARIF outputs, provenance attestation, etc.) plus the manual command to confirm it.

This appendix is the second-audience bridge: while the body of this guide is written for maintainers adopting the patterns, the rubric is written for reviewers checking whether they’ve been adopted.