We’ve focused a lot on provenance (where artifacts come from), but less on verifying what actually gets published.
Feels like both are needed — provenance + explicit artifact review.
Curious if others have seen similar issues in other ecosystems (pip, cargo, etc).