Sweep finding: gale ships wasm kernel modules with strong upstream proof (Verus/Kani/Rocq) and near-complete rivet extraction (642 verifies links — exemplar), but the emitted wasm itself is the unsigned, unverified link.
Track C — wasm gates + signing (priority):
Track D — Pages dashboard: pages.yml deploys only the gust demo.
Track A done; Track E already strong (no action).
Part of the org-wide release-consistency campaign — the five-track standard is in the release-artifact-pipeline skill (plugin v0.10.0).
Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.
Sweep finding: gale ships wasm kernel modules with strong upstream proof (Verus/Kani/Rocq) and near-complete rivet extraction (642
verifieslinks — exemplar), but the emitted wasm itself is the unsigned, unverified link.Track C — wasm gates + signing (priority):
gale-wasm-*modules.subject-path— provenance currently covers the.oobjects but not the.wasm.TODO(sigil)— signgale-wasm-manifest-*.json+ the wasm. Blocked on friction: wsc can't sign its own wasm32-wasip2 output — blocks org-wide sigil-sign-wasm standard sigil#164; add cosign now.Track D — Pages dashboard:
pages.ymldeploys only the gust demo.Track A done; Track E already strong (no action).
Part of the org-wide release-consistency campaign — the five-track standard is in the
release-artifact-pipelineskill (plugin v0.10.0).Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.