Package
Which package does this affect? [ ] cli [ ] schema [x] docs [x] ci
Problem / Motivation
The repo already runs cargo audit, cargo deny, cargo machete, OSSF Scorecard. Missing for the next hygiene tier:
- SLSA provenance attestation on release artifacts (binaries, crates, npm wasm).
cargo vet (or crev) for transitive dependency review.
For a binary that orchestrates git push and writes version files in users' repos, this is a reasonable bar.
Proposed solution
Acceptance criteria
- SLSA L3 provenance generated on release via the official GitHub action; attestation attached to release assets.
cargo vet initialised, audit imports added (Mozilla / Bytecode Alliance / Google), CI job verifies no unaudited deps.- Release docs / website mention provenance verification command.
Alternatives considered
None considered explicitly — this is the natural shape.
Additional context
Severity: P3
Category: oss-hygiene
Kit / UI candidate: No — but the same pattern should be reused on every FerrLabs SaaS API release.
Package
Which package does this affect? [ ] cli [ ] schema [x] docs [x] ci
Problem / Motivation
The repo already runs
cargo audit,cargo deny,cargo machete, OSSF Scorecard. Missing for the next hygiene tier:cargo vet(orcrev) for transitive dependency review.For a binary that orchestrates
git pushand writes version files in users' repos, this is a reasonable bar.Proposed solution
Acceptance criteria
cargo vetinitialised, audit imports added (Mozilla / Bytecode Alliance / Google), CI job verifies no unaudited deps.Alternatives considered
None considered explicitly — this is the natural shape.
Additional context
Severity: P3
Category: oss-hygiene
Kit / UI candidate: No — but the same pattern should be reused on every FerrLabs SaaS API release.