Sweep finding: spar ships a wasm component (jco-transpiled) with no wasm verification at all — not even a wasmtime load-check, while the native binary gets the full cosign+SLSA+SBOM treatment.
Track C — wasm gates (priority):
Track B — distribution: spar is GH-Release + VS Code Marketplace only.
Track A done; Track E (~59 links) adequate — extend the existing verification-gate.yml beyond the current milestone-tag scope when convenient.
Part of the org-wide release-consistency campaign — the five-track standard is in the release-artifact-pipeline skill (plugin v0.10.0).
Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.
Sweep finding: spar ships a wasm component (jco-transpiled) with no wasm verification at all — not even a wasmtime load-check, while the native binary gets the full cosign+SLSA+SBOM treatment.
Track C — wasm gates (priority):
Track B — distribution: spar is GH-Release + VS Code Marketplace only.
Track A done; Track E (~59 links) adequate — extend the existing
verification-gate.ymlbeyond the current milestone-tag scope when convenient.Part of the org-wide release-consistency campaign — the five-track standard is in the
release-artifact-pipelineskill (plugin v0.10.0).Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.