Publish live @dotprotocol/* source (reproducibility gate)#2
Merged
Conversation
…wrapper, arena, relay, identity, sdk) Makes the source of the LIVE published @dotprotocol/* npm packages public and reproducible in the dot-protocol org. Additive only — no live package name, semver, or API is changed. - Import 7 dist-shipped packages from the private source (dot-engine-week4 cut): compression, qr, wrapper, arena, relay, identity, sdk. Source version 0.3.0; published live at 1.0.0 (version bump, no API change). - Add per-package LICENSE matching the published license field (MIT for the 7; core/chain/mesh/cli/lang remain Apache-2.0 per their published metadata). - Add `repository`/`homepage`/`bugs` fields to all live-source packages. - Add packages/PROVENANCE.md documenting the live-npm → source map, the @dotprotocol (no-hyphen, published) vs @dot-protocol (hyphen, repo) scope relationship, the build/reproduce steps, and the acceptance-test results. Reproducibility (npm pack source vs live tarball): - core/chain/mesh: file lists IDENTICAL, src byte-identical (only package.json name scope differs: @dot-protocol/ here vs @dotprotocol/ published). - identity/qr/arena/sdk: built dist export surface matches live exactly (dist filenames carry tsdown content-hash suffixes -> functionally identical). No secrets in any imported source (scanned). No npm publish performed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes the source of the live published
@dotprotocol/*npm packages public and reproducible in this org. Additive only — no live package name, semver, or API is touched.What this adds
Imports the 7
dist-shipped live packages (whose source was previously only in a private repo) intopackages/:compression,qr,wrapper,arena,relay,identity,sdk.Plus, for all live-source packages (the 7 + existing
core/chain/mesh/cli/lang):LICENSE(matching the publishedlicensefield: MIT for the 7, Apache-2.0 for core/chain/mesh/cli/lang)repository/homepage/bugsfields pointing at this repopackages/PROVENANCE.md— the live-npm → source map, the@dotprotocol(no-hyphen, published) vs@dot-protocol(hyphen, repo) scope relationship, build steps, and acceptance-test resultsProvenance resolved
The live
@dotprotocol/*(no-hyphen) packages are a hybrid:dot-protocol/dot@main), ship rawsrc/mevBlaze/protocol@dot-engine-week4(projects/dot-protocol/packages/*), tsdowndist/, source 0.3.0 → published 1.0.0Acceptance test (
npm packsource vs live tarball)src/byte-identical. Only diff is package.jsonnamescope (@dot-protocol/here →@dotprotocol/published).dist/export surface matches live exactly.distfilenames carry tsdown content-hash suffixes that vary by toolchain → functionally (not byte) identical.Safety
🤖 Generated with Claude Code