Release-consistency campaign: roll the five-track standard across all repos

[avrabe]

This is the coordination hub for the org-wide release-consistency campaign. Every release-cutting repo has its own rollout issue (index below). The standard is encoded in the release-artifact-pipeline skill (plugin v0.10.0).

🔀 Coordinate here — don't diverge silently

If the standard doesn't fit your repo — you need a deviation, different sequencing, a track is N/A for good reason, or you want to sync on how a track applies — comment on this issue. Decisions about the standard are made here, in the open, and flow back to the per-repo issues and the skill. The per-repo issues are the work; this issue is the contract. (This uses the existing issue-based coordination mechanism — a more interactive agent-coordination channel is being designed separately.)

The standard (maintainer decisions)

• Track A — native binaries: cosign + SHA256SUMS + CycloneDX SBOM + SLSA (synth-canonical). Broadly done.
• Track B — distribution: crates.io for everything Rust; npm for every CLI/tool; more channels later.
• Track C — wasm: sigil + cosign signing and a witness MC/DC gate and a scry gate — same bar as the binary. The sigil step is blocked on friction: wsc can't sign its own wasm32-wasip2 output — blocks org-wide sigil-sign-wasm standard sigil#164 (wasip2 parser); add cosign now, sigil as it clears.
• Track D — Pages: witness-viz/scry-viz verification dashboard.
• Track E — rivet extraction: test-level verifies links (relay pattern) + a rivet-driven verification gate.

Per-repo rollout index

Repo	Issue	Primary gaps
sigil (prereq)	pulseengine/sigil#164	🔑 wasip2 parser — gates all sigil-sign-wasm rollout
loom	pulseengine/loom#227	C: witness+scry (optimizer w/ no wasm verif); B: crates.io+npm; E
meld	pulseengine/meld#302	C: witness+scry; B: crates.io+npm; E: 0 rivet links
gale	pulseengine/gale#96	C: witness+scry on kernels, SLSA misses .wasm, sigil TODO; D
spar	pulseengine/spar#297	C: witness+scry (no wasmtime check); B: crates.io+npm
relay	pulseengine/relay#222	C: manual witness→CI gate (witness#145), add scry
wohl	pulseengine/wohl#50	C: witness→CI, ship signed wasm, scry; E: add gate
kiln	pulseengine/kiln#356	A+B: no release at all; C: witness+scry, re-enable Kani
jess	pulseengine/jess#91	C: witness+scry CI gates (wasm firmware, runs neither)
rivet	pulseengine/rivet#557	B: add crates.io (npm-only today)
sigil	pulseengine/sigil#165	A: SBOM; B: npm; C: wire witness gate + scry
synth	pulseengine/synth#426	B: add npm wrapper
scry	pulseengine/scry#59	E: 0 verifies links despite live MC/DC + 111 tests + 12 proofs
witness	pulseengine/witness#115	E: 2/55 extraction; B: crates.io + npm
mcp	pulseengine/mcp#100	A+B: manual unsigned publish→signed CI; E: 0 links

The sweep matrix

Repo	Ships wasm	Dist	Track A	sigil wasm	witness	scry	verifies	Pages
rivet	no	GH+npm	✅	n/a	n/a	n/a	65/193	✗
sigil	comp+cli	GH+crates+OCI	⚠️ −SBOM	self best-effort	harness not-run	✗	~75	✗
witness	reporter	GH	✅	✗	✅ self	✗	2/55	✅
scry	comp	GH+crates	✅	✗	✅ gate	✅ self	0	✅
synth	no(→native)	GH+crates	✅	feature-only	n/a	n/a	141	✗
gale	kernels	GH	✅(.o not wasm)	✗ TODO	✗	✗	642	demo
meld	in/out	GH	✅	✗	✗	✗	0 rivet	✗
loom	optimizer	GH	✅	✗	✗	✗	~6	✗
spar	comp	GH+VSCode	✅	✗	✗	✗	~59	✗
relay	comp	GH	✅	✗	manual	✗	320 (120/128)	✗
wohl	comp(unshipped)	GH	✅	CI-not-shipped	manual	✗	42	✗
mcp	no	crates(manual!)+GH	❌	n/a	n/a	n/a	0	✗
kiln	—	none	—	—	✗	✗	static	docs

Verification-extraction exemplars to copy: relay (test-level), gale/synth (volume). Laggards: scry, witness, loom, meld, mcp.

Field reports that surfaced this: #88–#95. Three (#89 relay, #92 gale, #93 synth) are now stale on their headline numbers — those gaps closed mid-campaign.