Sweep finding: mcp's "release" pipeline only validates — it never publishes or signs. crates.io publishing is a stale, manual, unsigned local shell script (scripts/publish.sh, still pinned to v0.3.1/v0.4.0 while the workspace is 0.17.0), and the GitHub-Release tarball ships with no SHA256SUMS, no SBOM, no cosign, no SLSA. rivet is configured (rivet.yaml) but has 0 verifies links and is unwired.
Track A + B — publish + sign (priority):
Track E — extraction:
Track C N/A (mcp emits no wasm).
Part of the org-wide release-consistency campaign — the five-track standard is in the release-artifact-pipeline skill (plugin v0.10.0).
Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.
Sweep finding: mcp's "release" pipeline only validates — it never publishes or signs. crates.io publishing is a stale, manual, unsigned local shell script (
scripts/publish.sh, still pinned to v0.3.1/v0.4.0 while the workspace is 0.17.0), and the GitHub-Release tarball ships with no SHA256SUMS, no SBOM, no cosign, no SLSA. rivet is configured (rivet.yaml) but has 0verifieslinks and is unwired.Track A + B — publish + sign (priority):
scripts/publish.sh.Track E — extraction:
verifieslinks mapping requirements → tests (relay pattern).Track C N/A (mcp emits no wasm).
Part of the org-wide release-consistency campaign — the five-track standard is in the
release-artifact-pipelineskill (plugin v0.10.0).Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.