ossuary-risk 0.1.0__tar.gz → 0.1.1__tar.gz

{ossuary_risk-0.1.0 → ossuary_risk-0.1.1}/.gitignore

@@ -62,6 +62,9 @@ repos/
 data/
 *.json.local
 
+# Validation results
+validation_results*.json
+
 # OS
 .DS_Store
 Thumbs.db

{ossuary_risk-0.1.0 → ossuary_risk-0.1.1}/PKG-INFO

@@ -1,10 +1,10 @@
 Metadata-Version: 2.4
 Name: ossuary-risk
-Version: 0.1.0
+Version: 0.1.1
 Summary: OSS Supply Chain Risk Scoring - Where abandoned packages come to rest
-Project-URL: Homepage, https://github.com/anicka-net/ossuary
-Project-URL: Repository, https://github.com/anicka-net/ossuary
-Project-URL: Documentation, https://github.com/anicka-net/ossuary/blob/main/docs/methodology.md
+Project-URL: Homepage, https://github.com/anicka-net/ossuary-risk
+Project-URL: Repository, https://github.com/anicka-net/ossuary-risk
+Project-URL: Documentation, https://github.com/anicka-net/ossuary-risk/blob/main/docs/methodology.md
 Author: Anicka
 License-Expression: MIT
 Keywords: oss,risk,scoring,security,supply-chain
@@ -165,8 +165,8 @@ Response:
 
 ```bash
 # Clone
-git clone https://github.com/anicka/ossuary.git
-cd ossuary
+git clone https://github.com/anicka-net/ossuary-risk.git
+cd ossuary-risk
 
 # Install with dev dependencies
 pip install -e ".[dev]"
@@ -221,12 +221,12 @@ REPOS_PATH=./repos
 
 ## Validation
 
-Validated on 93 packages (20 incidents + 73 controls):
+Validated on 92 packages (20 incidents + 72 controls):
 
-- **Accuracy**: 91.4%
-- **Precision**: 92.9%
+- **Accuracy**: 92.4%
+- **Precision**: 100.0%
 - **Recall**: 65.0%
-- **F1 Score**: 0.76
+- **F1 Score**: 0.79
 
 T-1 analysis confirms **100% predictive detection** of governance-detectable incidents before they occurred.
 

{ossuary_risk-0.1.0 → ossuary_risk-0.1.1}/README.md

@@ -125,8 +125,8 @@ Response:
 
 ```bash
 # Clone
-git clone https://github.com/anicka/ossuary.git
-cd ossuary
+git clone https://github.com/anicka-net/ossuary-risk.git
+cd ossuary-risk
 
 # Install with dev dependencies
 pip install -e ".[dev]"
@@ -181,12 +181,12 @@ REPOS_PATH=./repos
 
 ## Validation
 
-Validated on 93 packages (20 incidents + 73 controls):
+Validated on 92 packages (20 incidents + 72 controls):
 
-- **Accuracy**: 91.4%
-- **Precision**: 92.9%
+- **Accuracy**: 92.4%
+- **Precision**: 100.0%
 - **Recall**: 65.0%
-- **F1 Score**: 0.76
+- **F1 Score**: 0.79
 
 T-1 analysis confirms **100% predictive detection** of governance-detectable incidents before they occurred.
 

{ossuary_risk-0.1.0 → ossuary_risk-0.1.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "ossuary-risk"
-version = "0.1.0"
+version = "0.1.1"
 description = "OSS Supply Chain Risk Scoring - Where abandoned packages come to rest"
 readme = "README.md"
 license = "MIT"
@@ -53,9 +53,9 @@ dev = [
 ossuary = "ossuary.cli:app"
 
 [project.urls]
-Homepage = "https://github.com/anicka-net/ossuary"
-Repository = "https://github.com/anicka-net/ossuary"
-Documentation = "https://github.com/anicka-net/ossuary/blob/main/docs/methodology.md"
+Homepage = "https://github.com/anicka-net/ossuary-risk"
+Repository = "https://github.com/anicka-net/ossuary-risk"
+Documentation = "https://github.com/anicka-net/ossuary-risk/blob/main/docs/methodology.md"
 
 [tool.hatch.build.targets.wheel]
 packages = ["src/ossuary"]

{ossuary_risk-0.1.0 → ossuary_risk-0.1.1}/src/ossuary/sentiment/analyzer.py

@@ -12,12 +12,29 @@ logger = logging.getLogger(__name__)
 
 # Keywords indicating maintainer frustration/burnout
 # These should be specific enough to avoid false positives on normal development discussions
+#
+# VALIDATION NOTE (Feb 2026):
+# Tested against Marak Squires' actual Nov 2020 rant before colors.js/faker.js sabotage:
+#   "No More Free Works from Marak – Pay Me or Fork It. With all due respect,
+#    I am no longer going to support the Fortune 500 (and other smaller companies)
+#    with my free work."
+#
+# Key finding: VADER scored this as +0.676 (positive!) due to words like "support"
+# and "opportunity". Keyword matching is essential - VADER alone would miss this.
+#
+# Added keywords based on this analysis:
+# - "free work" / "my free work" - exact phrase from Marak's rant
+# - "no longer support" - resignation signal
+# - "stop supporting" - variation
+#
 FRUSTRATION_KEYWORDS = [
     # Direct economic frustration (high signal)
     "not getting paid",
     "unpaid work",
     "free labor",
     "work for free",
+    "free work",  # Added: exact phrase from Marak's 2020 rant
+    "my free work",  # Added: more specific variant
     "donating my time",
     "corporate exploitation",
     "open source exploitation",
@@ -28,6 +45,9 @@ FRUSTRATION_KEYWORDS = [
     "stepping down",
     "giving up on this",
     "abandoning this project",
+    "no longer support",  # Added: from Marak's "no longer going to support"
+    "stop supporting",  # Added: variation
+    "stopping support",  # Added: verb form variation
     # Economic frustration (moderate signal)
     "fortune 500",
     "pay developers",

ossuary_risk-0.1.0/validation_results.json

@@ -1,250 +0,0 @@
-{
-  "timestamp": "2026-02-01T17:38:28.683199",
-  "total": 9,
-  "accuracy": 0.8888888888888888,
-  "precision": 1.0,
-  "recall": 0.6666666666666666,
-  "f1_score": 0.8,
-  "confusion_matrix": {
-    "TP": 2,
-    "TN": 6,
-    "FP": 0,
-    "FN": 1
-  },
-  "by_attack_type": {
-    "governance_failure": {
-      "total": 1,
-      "correct": 1
-    },
-    "maintainer_sabotage": {
-      "total": 1,
-      "correct": 1
-    },
-    "account_compromise": {
-      "total": 1,
-      "correct": 0
-    },
-    "control": {
-      "total": 6,
-      "correct": 6
-    }
-  },
-  "results": [
-    {
-      "case": {
-        "name": "event-stream",
-        "ecosystem": "npm",
-        "expected_outcome": "incident",
-        "attack_type": "governance_failure",
-        "incident_date": "2018-09-16",
-        "cutoff_date": "2018-09-01",
-        "notes": "Abandoned package, malicious maintainer gained access via social engineering",
-        "repo_url": null
-      },
-      "score": 80,
-      "risk_level": "CRITICAL",
-      "predicted_outcome": "risky",
-      "correct": true,
-      "classification": "TP",
-      "maintainer": "rolias",
-      "reputation_score": 15,
-      "reputation_tier": "UNKNOWN",
-      "concentration": 75.0,
-      "commits_last_year": 4,
-      "protective_factors_total": 0,
-      "error": null
-    },
-    {
-      "case": {
-        "name": "colors",
-        "ecosystem": "npm",
-        "expected_outcome": "incident",
-        "attack_type": "maintainer_sabotage",
-        "incident_date": "2022-01-08",
-        "cutoff_date": "2022-01-01",
-        "notes": "Marak intentionally sabotaged as protest against Fortune 500 companies",
-        "repo_url": null
-      },
-      "score": 100,
-      "risk_level": "CRITICAL",
-      "predicted_outcome": "risky",
-      "correct": true,
-      "classification": "TP",
-      "maintainer": "Marak",
-      "reputation_score": 15,
-      "reputation_tier": "UNKNOWN",
-      "concentration": 100,
-      "commits_last_year": 0,
-      "protective_factors_total": -5,
-      "error": null
-    },
-    {
-      "case": {
-        "name": "ua-parser-js",
-        "ecosystem": "npm",
-        "expected_outcome": "incident",
-        "attack_type": "account_compromise",
-        "incident_date": "2021-10-22",
-        "cutoff_date": "2021-10-01",
-        "notes": "Maintainer account compromised via email hijacking. Active project - governance metrics won't catch this.",
-        "repo_url": null
-      },
-      "score": 25,
-      "risk_level": "LOW",
-      "predicted_outcome": "safe",
-      "correct": false,
-      "classification": "FN",
-      "maintainer": "faisalman",
-      "reputation_score": 15,
-      "reputation_tier": "UNKNOWN",
-      "concentration": 80.26315789473685,
-      "commits_last_year": 152,
-      "protective_factors_total": -25,
-      "error": null
-    },
-    {
-      "case": {
-        "name": "chalk",
-        "ecosystem": "npm",
-        "expected_outcome": "safe",
-        "attack_type": null,
-        "incident_date": null,
-        "cutoff_date": null,
-        "notes": "High concentration but Sindre Sorhus has massive reputation and sponsors",
-        "repo_url": null
-      },
-      "score": 0,
-      "risk_level": "VERY_LOW",
-      "predicted_outcome": "safe",
-      "correct": true,
-      "classification": "TN",
-      "maintainer": "sindresorhus",
-      "reputation_score": 90,
-      "reputation_tier": "TIER_1",
-      "concentration": 66.66666666666666,
-      "commits_last_year": 6,
-      "protective_factors_total": -60,
-      "error": null
-    },
-    {
-      "case": {
-        "name": "lodash",
-        "ecosystem": "npm",
-        "expected_outcome": "safe",
-        "attack_type": null,
-        "incident_date": null,
-        "cutoff_date": null,
-        "notes": "Very popular, historically high concentration but visible and maintained",
-        "repo_url": null
-      },
-      "score": 0,
-      "risk_level": "VERY_LOW",
-      "predicted_outcome": "safe",
-      "correct": true,
-      "classification": "TN",
-      "maintainer": "jdalton",
-      "reputation_score": 45,
-      "reputation_tier": "TIER_2",
-      "concentration": 42.857142857142854,
-      "commits_last_year": 35,
-      "protective_factors_total": -45,
-      "error": null
-    },
-    {
-      "case": {
-        "name": "express",
-        "ecosystem": "npm",
-        "expected_outcome": "safe",
-        "attack_type": null,
-        "incident_date": null,
-        "cutoff_date": null,
-        "notes": "OpenJS Foundation, multiple maintainers, very active",
-        "repo_url": null
-      },
-      "score": 0,
-      "risk_level": "VERY_LOW",
-      "predicted_outcome": "safe",
-      "correct": true,
-      "classification": "TN",
-      "maintainer": "dependabot[bot]",
-      "reputation_score": 30,
-      "reputation_tier": "TIER_2",
-      "concentration": 24.444444444444443,
-      "commits_last_year": 135,
-      "protective_factors_total": -65,
-      "error": null
-    },
-    {
-      "case": {
-        "name": "requests",
-        "ecosystem": "pypi",
-        "expected_outcome": "safe",
-        "attack_type": null,
-        "incident_date": null,
-        "cutoff_date": null,
-        "notes": "Transitioned from Kenneth Reitz to PSF, successful community handoff",
-        "repo_url": null
-      },
-      "score": 0,
-      "risk_level": "VERY_LOW",
-      "predicted_outcome": "safe",
-      "correct": true,
-      "classification": "TN",
-      "maintainer": "kennethreitz",
-      "reputation_score": 30,
-      "reputation_tier": "TIER_2",
-      "concentration": 36.36363636363637,
-      "commits_last_year": 66,
-      "protective_factors_total": -70,
-      "error": null
-    },
-    {
-      "case": {
-        "name": "urllib3",
-        "ecosystem": "pypi",
-        "expected_outcome": "safe",
-        "attack_type": null,
-        "incident_date": null,
-        "cutoff_date": null,
-        "notes": "Org-owned, multiple maintainers, good governance",
-        "repo_url": null
-      },
-      "score": 0,
-      "risk_level": "VERY_LOW",
-      "predicted_outcome": "safe",
-      "correct": true,
-      "classification": "TN",
-      "maintainer": "shazow",
-      "reputation_score": 30,
-      "reputation_tier": "TIER_2",
-      "concentration": 36.36363636363637,
-      "commits_last_year": 110,
-      "protective_factors_total": -80,
-      "error": null
-    },
-    {
-      "case": {
-        "name": "django",
-        "ecosystem": "pypi",
-        "expected_outcome": "safe",
-        "attack_type": null,
-        "incident_date": null,
-        "cutoff_date": null,
-        "notes": "Django Software Foundation, many contributors, professional governance",
-        "repo_url": null
-      },
-      "score": 0,
-      "risk_level": "VERY_LOW",
-      "predicted_outcome": "safe",
-      "correct": true,
-      "classification": "TN",
-      "maintainer": "nessita",
-      "reputation_score": 30,
-      "reputation_tier": "TIER_2",
-      "concentration": 16.666666666666664,
-      "commits_last_year": 1602,
-      "protective_factors_total": -45,
-      "error": null
-    }
-  ]
-}