drop slsa v1 provenance json · parse builder id + invocation + materials · runs locally
drop slsa v1 provenance json · local only
heuristic screener · vendor schema varies · not definitive proof