Context
The per-enricher docs (docs/src/enrichers/{typosquat,osv-cve,version-jump,maintainer-age,epss,kev,registry}.md) grew organically across v0.5–v0.9.7. v0.9.6's docs refresh standardized some of them around the sections Why this signal / Algorithm / Threshold / Output / Network / Disabling / Calibration / See also, but the coverage is still uneven.
Scope
Audit each enricher chapter and bring them all to the same shape:
Sections (in this order):
- Why this signal — what supply-chain risk does it catch?
- Algorithm — high-level shape (links to source for detail).
- Threshold — what number(s) drive the gate; defaults; why those.
- Output — what the markdown/term/JSON/SARIF/VEX output looks like.
- Network — does it touch the network? Cache TTL? Best-effort fallback?
- Disabling —
--no-<name> flag + config key.
- Calibration — relevant CLI/config knobs (
--typosquat-similarity-threshold, etc.).
- See also — cross-links to relevant subjects (license-policy.md, sarif.md, etc.).
Acceptance criteria
No code changes; pure docs work.
A note on commit signing
main requires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).
You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on main (so your name shows up in git blame), set up local signing once and your PR can be rebase-merged:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on main for the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.
Context
The per-enricher docs (
docs/src/enrichers/{typosquat,osv-cve,version-jump,maintainer-age,epss,kev,registry}.md) grew organically across v0.5–v0.9.7. v0.9.6's docs refresh standardized some of them around the sectionsWhy this signal/Algorithm/Threshold/Output/Network/Disabling/Calibration/See also, but the coverage is still uneven.Scope
Audit each enricher chapter and bring them all to the same shape:
docs/src/enrichers/typosquat.mddocs/src/enrichers/osv-cve.mddocs/src/enrichers/version-jump.mddocs/src/enrichers/maintainer-age.mddocs/src/enrichers/epss.mddocs/src/enrichers/kev.mddocs/src/enrichers/registry.mdSections (in this order):
--no-<name>flag + config key.--typosquat-similarity-threshold, etc.).Acceptance criteria
version-jumphas no network).docs/src/enrichers/overview.mdtable summary still matches.No code changes; pure docs work.
A note on commit signing
mainrequires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on
main(so your name shows up ingit blame), set up local signing once and your PR can be rebase-merged:Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on
mainfor the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.