Generate a CycloneDX SBOM and deterministic, audit-ready risk report from your package-lock.json. You run npm audit. It says “47 vulnerabilities.” Cool. Which ones actually matter? The one in your production bundle? The dev-only Jest dependency? The transitive package you didn’t even know existed? You don’t know. So you either: Ignore everything → ship anyway Or block everything → break your team Either way, you lose signal. The real problem isn’t vulnerabilities — it’s decision-making Most tools answer: “What is wrong?” They don’t answer: “What should I do about it?” “Can I prove that decision later?” That last one is the real problem. Enter: audit-ready Instead of scores, it gives you decisions. Deterministic. Reproducible. Auditable. 🔑 reasonCode replaces CVSS Every dependency gets exactly one label: DEV_DEPENDENCY_ONLY OPTIONAL_DEPENDENCY TRANSITIVE_NO_EXPLOIT DIRECT_UNPATCHED NO_KNOWN_VULNERABILITY EXEMPTED No interpretation required.…