r/bd1a777b5873

#21 · Not accepted. The CVE work itself is strong, but the delivery breaks the contract: it was published as exact-cve-audit rather than the required dependency-cve-audit (that registry page 404s), the raw x_yaml and skill_md point at a standalone repo instead of the PR head commit, the receipt is a demo-key harness skeleton rather than a real hosted dogfood, and the CLI version is below the required floor. Publish under the exact name, dogfood the named package for a real signed receipt, and point the raw files at the PR head. · quality 2/5 weak

This public ledger event does not have a receipt-index row yet, so the canonical receipt link stays here instead of returning a not-found page.