Closes #1470
Context
Dora’s package-management work has started defining:
- manifest parsing (
Dora.toml)
- registry index reading / normalization
However, the publish side of the system is still undefined.
Issue #1470 proposes introducing a minimal publish/archive contract to define how a node package is packaged, described, and validated before entering a registry.
This PR implements that proposal.
What this PR does
This PR introduces a minimal publish/archive contract for Dora node packages inside the CLI crate.
It defines:
- how a package directory is converted into a publishable artifact (
.tar.gz)
- what metadata represents a published package version
- how artifact and metadata are validated against each other
This establishes the publisher-side contract that complements existing registry-read and metadata-normalization work.
Added
publish_metadata.rs
Defines publish-facing metadata and normalization:
-
PublishManifest
- derived from
Dora.toml
- represents the publishable subset of package metadata
-
PublishedDependency
- registry-compatible dependency representation
-
PublishedPackageRecord
- metadata for a published package version
Behavior
- parses
Dora.toml into a publishable manifest
- enforces publish-time constraints:
- valid package name
- valid semver version
- dependency requirements must be valid semver ranges
- rejects non-publishable dependency sources:
- ensures published metadata is deterministic and registry-compatible
package_archive.rs
Defines the package artifact and validation:
- creates a
.tar.gz archive from a package directory
- computes
sha256 checksum for the archive
- extracts
Dora.toml from archive
- validates metadata ↔ archive consistency
Validation guarantees
- checksum matches published metadata
- archive contains
Dora.toml
- package name/version match metadata
- dependencies match metadata
Why this matters
This PR defines the missing publish-side contract for Dora packages.
It connects:
- package directory (source)
- publish artifact (archive)
- registry metadata (record)
This complements existing work:
- #1451 / #1453 / #1467 → metadata normalization + registry read side
- this PR → publish + artifact + integrity validation
Together, these form the foundation for:
Dora.toml
-> PublishManifest
-> PublishedPackageRecord + archive
-> registry storage
-> registry reader
-> PackageDefinition
-> resolver / install / lockfile
Closes #1470
Context
Dora’s package-management work has started defining:
Dora.toml)However, the publish side of the system is still undefined.
Issue #1470 proposes introducing a minimal publish/archive contract to define how a node package is packaged, described, and validated before entering a registry.
This PR implements that proposal.
What this PR does
This PR introduces a minimal publish/archive contract for Dora node packages inside the CLI crate.
It defines:
.tar.gz)This establishes the publisher-side contract that complements existing registry-read and metadata-normalization work.
Added
publish_metadata.rsDefines publish-facing metadata and normalization:
PublishManifestDora.tomlPublishedDependencyPublishedPackageRecordBehavior
Dora.tomlinto a publishable manifestpathgitpackage_archive.rsDefines the package artifact and validation:
.tar.gzarchive from a package directorysha256checksum for the archiveDora.tomlfrom archiveValidation guarantees
Dora.tomlWhy this matters
This PR defines the missing publish-side contract for Dora packages.
It connects:
This complements existing work:
Together, these form the foundation for: