feat(cli): prototype publish/archive contract for Dora packages

[Harsh-Sahu43]

Closes #1470

Context

Dora’s package-management work has started defining:

• manifest parsing (Dora.toml)
• registry index reading / normalization

However, the publish side of the system is still undefined.

Issue #1470 proposes introducing a minimal publish/archive contract to define how a node package is packaged, described, and validated before entering a registry.

This PR implements that proposal.

---

What this PR does

This PR introduces a minimal publish/archive contract for Dora node packages inside the CLI crate.

It defines:

• how a package directory is converted into a publishable artifact (.tar.gz)
• what metadata represents a published package version
• how artifact and metadata are validated against each other

This establishes the publisher-side contract that complements existing registry-read and metadata-normalization work.

---

Added

publish_metadata.rs

Defines publish-facing metadata and normalization:

• PublishManifest

  • derived from Dora.toml
  • represents the publishable subset of package metadata

• PublishedDependency

  • registry-compatible dependency representation

• PublishedPackageRecord

  • metadata for a published package version

Behavior

• parses Dora.toml into a publishable manifest
• enforces publish-time constraints:
  • valid package name
  • valid semver version
  • dependency requirements must be valid semver ranges
• rejects non-publishable dependency sources:
  • path
  • git
• ensures published metadata is deterministic and registry-compatible

---

package_archive.rs

Defines the package artifact and validation:

• creates a .tar.gz archive from a package directory
• computes sha256 checksum for the archive
• extracts Dora.toml from archive
• validates metadata ↔ archive consistency

Validation guarantees

• checksum matches published metadata
• archive contains Dora.toml
• package name/version match metadata
• dependencies match metadata

---

Why this matters

This PR defines the missing publish-side contract for Dora packages.

It connects:

• package directory (source)
• publish artifact (archive)
• registry metadata (record)

This complements existing work:
#1451 / #1453 / #1467 → metadata normalization + registry read side
this PR → publish + artifact + integrity validation

Together, these form the foundation for:

Dora.toml
  -> PublishManifest
  -> PublishedPackageRecord + archive
  -> registry storage
  -> registry reader
  -> PackageDefinition
  -> resolver / install / lockfile

[heyong4725]

Hi @Harsh-Sahu43, closing this as a companion to #1467 — same direction call, not a quality judgment.

The publish/archive contract here only has value if the broader package-management track is being built, which is the call we just made on #1467 and #1402 (the umbrella RFC, also being closed). Package management is a long-term roadmap item but the project isn't committing to the design space right now — we'd rather start with fresh thinking against whatever the ecosystem looks like when we do revisit, instead of carrying half-resolved contract surface forward.

Same offer as on #1467: your other contributions land beautifully when the target is a concrete pain point. The recent rescue stack (#1855, #1859, #1861, #1864, #1865, #1869, #1870, #1818, #1820) is a good shape to mirror — defensive fixes, CI gaps, CLI ergonomics, edge cases in features users actually exercise today.

Thanks for the work and patience.