docs: oss packages criticality (CM-1207)

[joanagmaia]

This pull request significantly expands and finalizes the methodology for scoring package criticality in the oss-packages domain, replacing the previous placeholder formula with a detailed, defensible approach. It introduces a new section describing the signals, formula, tier allocation policy, and manual override system for identifying critical packages across ecosystems. The documentation is updated to reflect these decisions and clarify open questions.

Criticality scoring methodology and related changes:

• Added a comprehensive "Criticality scoring methodology" section detailing the signals (including new graph-derived metrics like transitive dependent count and PageRank centrality), the percentile-rank-based scoring formula, and the rationale for weighting each input. This replaces the previous placeholder and defines a robust, tunable approach for ranking package criticality.
• Defined the per-ecosystem tier allocation policy (floor + ceiling + judgment) for critical packages, including example tier budgets and the reasoning behind them.
• Introduced a "spotlight override" mechanism using a new package_criticality_spotlight table, allowing manual promotion of packages to critical status with required rationale and auditability.
• Documented the implementation approach for graph-based signals, including in-memory computation versus possible ingestion from deps.dev, and outlined the worker layout for the new criticality sub-worker.

Documentation and tracking updates:

• Updated the summary table and open questions to reflect the finalized criticality scoring methodology, removal of the placeholder formula, and new open questions regarding deps.dev coverage for graph signals. [1] [2]
• Added a changelog entry summarizing the addition of the criticality methodology and the folding of related standalone ADRs into the main record.

---

Note

Low Risk
Documentation-only changes to ADR-0001; no runtime, schema, or auth code in this diff.

Overview
Replaces the placeholder critical-package formula in ADR-0001 with a full §Criticality scoring methodology: five signals on packages_universe (adding transitive dependent count and PageRank centrality), a per-ecosystem percentile-rank blend with tunable weights passed into rank_packages_universe(), and rationale for avoiding min-max and cross-ecosystem comparison.

Operational design adds floor + ceiling tier budgets (illustrative npm/Maven/PyPI/crates/Go splits), a package_criticality_spotlight table for audited manual is_critical overrides after ranking, and a planned packages_worker/src/criticality/ weekly workflow (in-memory graph from direct package_dependencies edges unless deps.dev can supply transitive counts).

Tracking updates: scope table marks universe selection decided and methodology proposed; universe section points to the new section instead of a placeholder; open questions add deps.dev transitive/centrality verification; changelog records the addition.

^{Reviewed by Cursor Bugbot for commit b678dc3. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Conventional Commits FTW!

[Copilot]

Pull request overview

This PR updates the living OSS packages ADR to replace the prior placeholder criticality approach with a proposed scoring methodology and implementation plan for ranking critical packages.

Changes:

• Adds criticality inputs, weighted percentile scoring, tier budget policy, and spotlight override documentation.
• Documents proposed worker layout and graph-signal computation/ingestion considerations.
• Updates open questions and changelog entries around the new methodology.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.