Module signals 

Structs

Evidence

RiskSignal

Enums

Severity

Constants

KNOWN_GOOD_CRATES

Ubiquitous, widely-audited platform/ecosystem crates. Their heuristic findings (FFI name, build script, unsafe, duplicate versions) are kept for transparency but contribute zero weight, so they never dominate the score. Advisory matches against these crates are NEVER suppressed.

POPULAR_CRATES

High-profile crates frequently impersonated by typosquats. A dependency one edit away from one of these (but not itself on the list) is a likely typosquat. Curated, not exhaustive — extend as the ecosystem shifts.

Functions

collect_basic_signals

Collect static, metadata-based risk signals for a lockfile.

is_known_good

Whether a crate is on the built-in known-good baseline (case-sensitive, matches crate names as they appear in Cargo.lock).

sort_signals

Stable ordering: severity desc, then signal id, then package — so that JSON and Markdown output is deterministic regardless of discovery order.

typosquat_target

Public selector: the popular crate this name is a possible typosquat of (Damerau-Levenshtein distance 1), if it is a candidate worth corroborating.