[codex] Sync docs after sbom-diff-and-risk v0.8.0 release

README.md

@@ -32,18 +32,19 @@ Project:
 [`sbom-diff-and-risk`](tools/sbom-diff-and-risk/README.md)
 
 Status:
-Released at `v0.7.0`.
+Released at `v0.8.0`.
 
 What to review:
 Deterministic SBOM/dependency diffing, JSON/Markdown/SARIF output, local policy
-checks, optional provenance and Scorecard evidence.
+checks, policy decision explainability, optional provenance and Scorecard
+evidence.
 
 Useful entry points:
 
 - [`sbom-diff-and-risk` README](tools/sbom-diff-and-risk/README.md)
 - [Reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md)
 - [Reviewer evidence pack](tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md)
-- [v0.7.0 release notes][release-notes-v070]
+- [v0.8.0 release notes][release-notes-v080]
 - [Examples](tools/sbom-diff-and-risk/examples/)
 
 ## Verification and Release Evidence
@@ -79,17 +80,17 @@ publishing is intentionally deferred.
 1. Read the [`sbom-diff-and-risk` reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md).
 2. Skim the [`sbom-diff-and-risk` README](tools/sbom-diff-and-risk/README.md)
    for CLI scope and examples.
-3. Check the [v0.7.0 release notes][release-notes-v070].
+3. Check the [v0.8.0 release notes][release-notes-v080].
 4. Use the [verification guide](tools/sbom-diff-and-risk/docs/verification.md)
    to choose the right provenance check.
 5. Inspect the [examples](tools/sbom-diff-and-risk/examples/) for sample reports and policy files.
 
 ## Status
 
-- Current flagship release: `sbom-diff-and-risk` `v0.7.0`
-- GitHub Release assets: available for `v0.7.0`
+- Current flagship release: `sbom-diff-and-risk` `v0.8.0`
+- GitHub Release assets: available for `v0.8.0`
 - TestPyPI Trusted Publishing dry-run: completed
 - Production PyPI publishing: intentionally deferred
 
-[release-notes-v070]: tools/sbom-diff-and-risk/RELEASE_NOTES_v0.7.0.md
+[release-notes-v080]: tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md
 

tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md

@@ -50,15 +50,15 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           mkdir -p .tooling/sbom-diff-risk
-          gh release download v0.7.0 \
+          gh release download v0.8.0 \
             --repo stacknil/scientific-computing-toolkit \
-            --pattern "sbom_diff_and_risk-0.7.0-py3-none-any.whl" \
+            --pattern "sbom_diff_and_risk-0.8.0-py3-none-any.whl" \
             --dir .tooling/sbom-diff-risk
 
       - name: Install sbom-diff-risk
         run: |
           python -m pip install \
-            .tooling/sbom-diff-risk/sbom_diff_and_risk-0.7.0-py3-none-any.whl
+            .tooling/sbom-diff-risk/sbom_diff_and_risk-0.8.0-py3-none-any.whl
 
       - name: Compare dependency evidence
         run: |

tools/sbom-diff-and-risk/docs/reviewer-brief.md

@@ -4,7 +4,7 @@
 
 `sbom-diff-and-risk` is a local CLI for comparing two SBOMs or dependency manifests and producing deterministic review artifacts: JSON, Markdown, and SARIF. It is built for conservative supply-chain review, not for vulnerability scanning or package reputation scoring.
 
-Current released version: `v0.7.0`.
+Current released version: `v0.8.0`.
 
 ## Why this project matters
 

tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md

@@ -6,7 +6,7 @@ This page is a reproducible evidence checklist for reviewing `sbom-diff-and-risk
 
 `sbom-diff-and-risk` is a local-first deterministic CLI for comparing SBOMs and dependency manifests. It is designed to produce stable review evidence for dependency changes.
 
-Current released version: `v0.7.0`.
+Current released version: `v0.8.0`.
 
 Core identity:
 
@@ -89,19 +89,19 @@ For CI dashboard, job-summary, and local-threshold examples that consume
 
 ## Release Verification Path
 
-Start with the GitHub Release for the version under review. For `v0.7.0`,
+Start with the GitHub Release for the version under review. For `v0.8.0`,
 inspect the release and assets:
 
 ```powershell
-gh release view v0.7.0 `
+gh release view v0.8.0 `
   --repo stacknil/scientific-computing-toolkit `
   --json tagName,name,isDraft,isPrerelease,assets,url
 ```
 
 Expected release assets:
 
-- `sbom_diff_and_risk-0.7.0-py3-none-any.whl`
-- `sbom_diff_and_risk-0.7.0.tar.gz`
+- `sbom_diff_and_risk-0.8.0-py3-none-any.whl`
+- `sbom_diff_and_risk-0.8.0.tar.gz`
 - `sbom-diff-and-risk-SHA256SUMS.txt`
 
 The checksum manifest checks local downloaded distribution bytes before or alongside provenance verification:
@@ -132,13 +132,13 @@ For workflow-built artifacts downloaded from a trusted workflow run, verify
 artifact attestations with the signer workflow:
 
 ```powershell
-gh attestation verify path/to/sbom_diff_and_risk-0.7.0-py3-none-any.whl `
+gh attestation verify path/to/sbom_diff_and_risk-0.8.0-py3-none-any.whl `
   --repo stacknil/scientific-computing-toolkit `
   --signer-workflow stacknil/scientific-computing-toolkit/.github/workflows/sbom-diff-and-risk-ci.yml
 ```
 
 ```powershell
-gh attestation verify path/to/sbom_diff_and_risk-0.7.0.tar.gz `
+gh attestation verify path/to/sbom_diff_and_risk-0.8.0.tar.gz `
   --repo stacknil/scientific-computing-toolkit `
   --signer-workflow stacknil/scientific-computing-toolkit/.github/workflows/sbom-diff-and-risk-ci.yml
 ```
@@ -148,15 +148,15 @@ releases. Use them only when the repository release is immutable and GitHub has
 generated release attestations:
 
 ```powershell
-gh release view v0.7.0 --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url
+gh release view v0.8.0 --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url
 ```
 
 If `isImmutable` is true, release verification can check the release record and
 downloaded release assets:
 
 ```powershell
-gh release verify v0.7.0 --repo stacknil/scientific-computing-toolkit
-gh release verify-asset v0.7.0 path/to/sbom_diff_and_risk-0.7.0-py3-none-any.whl --repo stacknil/scientific-computing-toolkit
+gh release verify v0.8.0 --repo stacknil/scientific-computing-toolkit
+gh release verify-asset v0.8.0 path/to/sbom_diff_and_risk-0.8.0-py3-none-any.whl --repo stacknil/scientific-computing-toolkit
 ```
 
 If `isImmutable` is false, use the workflow artifact attestation path as the primary artifact verification story.

tools/sbom-diff-and-risk/examples/github-actions-consumer.yml

@@ -31,15 +31,15 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           mkdir -p .tooling/sbom-diff-risk
-          gh release download v0.7.0 \
+          gh release download v0.8.0 \
             --repo stacknil/scientific-computing-toolkit \
-            --pattern "sbom_diff_and_risk-0.7.0-py3-none-any.whl" \
+            --pattern "sbom_diff_and_risk-0.8.0-py3-none-any.whl" \
             --dir .tooling/sbom-diff-risk
 
       - name: Install sbom-diff-risk
         run: |
           python -m pip install \
-            .tooling/sbom-diff-risk/sbom_diff_and_risk-0.7.0-py3-none-any.whl
+            .tooling/sbom-diff-risk/sbom_diff_and_risk-0.8.0-py3-none-any.whl
 
       - name: Compare dependency evidence
         run: |