Proposal
Add oss/skills/exact-cve-audit as a standalone governed community skill for exact npm dependency CVE evidence.
Unlike the existing single-run dependency audit, this package uses a graph with separate scan, independent OSV replay, and finalize steps. The finalize step is guarded and fails closed unless replay proves zero false and zero missing findings. Inputs require a full immutable Git commit and a lockfile URL pinned to that commit.
Public evidence
The contribution is isolated to the standalone skill package and does not change runtime or public API contracts.
Proposal
Add
oss/skills/exact-cve-auditas a standalone governed community skill for exact npm dependency CVE evidence.Unlike the existing single-run dependency audit, this package uses a graph with separate scan, independent OSV replay, and finalize steps. The finalize step is guarded and fails closed unless replay proves zero false and zero missing findings. Inputs require a full immutable Git commit and a lockfile URL pinned to that commit.
Public evidence
The contribution is isolated to the standalone skill package and does not change runtime or public API contracts.