Adds the third hash-algorithm variant SLSA's DigestSet recognizes, so
git and path dependencies can carry their commit SHA in provenance
output without being coerced into a Sha256 field.

Wraps git status --porcelain to enforce that an external path
dependency's working tree fully matches its recorded git commit.

Thin wrapper around git rev-parse HEAD used to capture the commit
SHA of an external path dependency at build time.

Walks [dependencies], [dev-dependencies], [build-dependencies],
[target.*.deps], and [patch.*] in the project's Cargo.toml,
canonicalizes each declared path, and keeps only those that resolve
outside the project directory.

Discover manifests reachable from [workspace.members], including a
single trailing glob (e.g. crates/*). Walking member manifests is
required so path deps declared inside a workspace member surface as
external deps.

discover_manifests previously errored when any glob-expanded
member directory lacked a Cargo.toml, but cargo itself silently
skips such directories. Literal member entries still error since
those are user-named and typos should surface.

Handles registry deps (with checksum), git deps (commit SHA pulled
from source URL fragment), workspace members (skipped), and surfaces
errors for registry deps missing a checksum or sources with an
unrecognized prefix. External path deps still error pending Task 7.

Closes the last untested branch in classify_package's git+ arm.

When a lockfile package has no source field and matches a path-dep
declaration outside the project, require the working tree to be
clean and record its HEAD commit as the dep's digest.

Parses Cargo.lock, classifies each package via classify_package, and
returns a URI-sorted list of ResolvedDependency. Regression-tested
against the existing ripgrep fixture to confirm registry-only output
is unchanged.

Synthesizes a project + external git repo + Cargo.lock and asserts
the resolved-deps output for each dep category, plus a dirty-tree
abort case.

collect_inputs now calls cargo_lock::resolve_dependencies, which
captures git commit SHAs for git and external path deps and errors
on unaccounted-for entries. The previous parse_cargo_lock function
(silently dropping non-registry deps) is removed.

Format drift across the new cargo_lock module and one cargo.rs
line. Final-review fix; no behavior change.

A git source URL like https://github.com/foo?branch=bar produced a
URI with two literal `?` chars, confusing PURL parsers. The new
pct_encode helper handles the four characters that actually break
PURL qualifier parsing: ?, #, &, and space. = and @ pass through
since they're unambiguous in qualifier values.

Locks the integration boundary between cargo.rs and cargo_lock.rs:
the project path and lockfile bytes are forwarded correctly, and
the resolved git dep lands in CargoInputs.resolved_deps with the
GitCommit digest.

Adds kettle to the build-projects matrix so every PR builds
kettle with the kettle binary it produced. This covers git
deps (sev), git deps with query strings (attestation, which
exercises the pct_encode helper), and workspace-internal
path patches (crates/* via [patch.crates-io]).