Skip to content

Release standard: add witness + scry on the wasm component, crates.io + npm #297

Description

@avrabe

Sweep finding: spar ships a wasm component (jco-transpiled) with no wasm verification at all — not even a wasmtime load-check, while the native binary gets the full cosign+SLSA+SBOM treatment.

Track C — wasm gates (priority):

Track B — distribution: spar is GH-Release + VS Code Marketplace only.

  • Publish to crates.io (signed CI, OIDC).
  • Add the npm CLI wrapper (spar is user-facing).

Track A done; Track E (~59 links) adequate — extend the existing verification-gate.yml beyond the current milestone-tag scope when convenient.


Part of the org-wide release-consistency campaign — the five-track standard is in the release-artifact-pipeline skill (plugin v0.10.0).
Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.

Metadata

Metadata

Assignees

No one assigned

    Labels

    release-standardOrg-wide release-consistency campaign (five-track standard); coordinate at pulseengine.eu#98

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions