Sweep finding: kiln is the wasm interpreter/runtime yet has the weakest pipeline of all — there is no release.yml (the publish.yml only deploys docs), nothing is released or published, no signing/SBOM/SLSA, and its Kani harnesses, capability tests, and verification dashboard are all .disabled.
Track A + B — stand up a real release (priority):
Track C — wasm gates:
Track E: wire an executable rivet verification gate (currently static requirements.toml only).
Part of the org-wide release-consistency campaign — the five-track standard is in the release-artifact-pipeline skill (plugin v0.10.0).
Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.
Sweep finding: kiln is the wasm interpreter/runtime yet has the weakest pipeline of all — there is no
release.yml(thepublish.ymlonly deploys docs), nothing is released or published, no signing/SBOM/SLSA, and its Kani harnesses, capability tests, and verification dashboard are all.disabled.Track A + B — stand up a real release (priority):
release.ymlproducing signed artifacts (cosign + SHA256SUMS + CycloneDX SBOM + SLSA — synth-canonical).Track C — wasm gates:
Track E: wire an executable rivet verification gate (currently static
requirements.tomlonly).Part of the org-wide release-consistency campaign — the five-track standard is in the
release-artifact-pipelineskill (plugin v0.10.0).Coordination hub: pulseengine/pulseengine.eu#98 — if this standard does not fit this repo (you need a deviation, different sequencing, or want to sync on how a track applies), raise it there. Deviations are decided in the open at the hub, not diverged silently.