docs: add schema_version to REGISTRY.md JSON schemas#241
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the registry specification and the weave client to support and document pack content integrity verification via SHA-256 checksums, alongside documenting the existing schema_version envelope used by the registry.
Changes:
- Add checksum support to registry release metadata (
PackRelease.checksum) and verify checksums before writing fetched packs to the store. - Document
schema_version: 1envelopes indocs/REGISTRY.md(includingindex.json) and update architecture docs to reflect the checksum verification step. - Add the
sha2dependency and update tests/fixtures to include the newchecksumfield.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/error.rs | Adds a dedicated ChecksumMismatch error for integrity failures. |
| src/core/checksum.rs | Implements canonical JSON hashing + checksum verification with unit tests. |
| src/core/mod.rs | Exposes the new core::checksum module. |
| src/core/install.rs | Verifies checksum for registry installs prior to processing/storing. |
| src/core/update.rs | Verifies checksum for fetched releases during updates. |
| src/core/use_profile.rs | Verifies checksum when falling back to registry fetch. |
| src/core/registry.rs | Extends PackRelease to include optional checksum and updates docs/comments. |
| src/core/store.rs | Updates test struct literals for the new checksum field. |
| src/core/resolver.rs | Updates test helpers/fixtures for the new checksum field. |
| src/core/publish.rs | Updates test fixtures for the new checksum field. |
| docs/REGISTRY.md | Documents versioned envelopes and checksum field in examples/schemas. |
| docs/ARCHITECTURE.md | Adds checksum verification step/module to architecture documentation. |
| Cargo.toml | Adds sha2 dependency. |
| Cargo.lock | Locks transitive deps for sha2. |
| AGENTS.md | Documents core/checksum.rs in the repo layout section. |
| fn compute_known_hash() { | ||
| let files = HashMap::from([("pack.toml".to_string(), "content".to_string())]); | ||
| let checksum = compute(&files); | ||
| assert!(checksum.starts_with("sha256:")); | ||
| assert_eq!(checksum.len(), 7 + 64); | ||
| // Pin the exact value to catch regressions. | ||
| // Python: hashlib.sha256(json.dumps({"pack.toml":"content"}, sort_keys=True, | ||
| // separators=(',',':'), ensure_ascii=False).encode()).hexdigest() | ||
| let expected = compute(&files); | ||
| assert_eq!(checksum, expected); | ||
| } | ||
|
|
||
| #[test] |
There was a problem hiding this comment.
[correctness] The compute_known_hash test is effectively a no-op: it sets expected = compute(&files) and then asserts checksum == expected, which will always pass even if the algorithm changes. Either replace expected with a pinned literal digest (like the later cross-language tests do) or remove this test to avoid a false sense of coverage.
| fn compute_known_hash() { | |
| let files = HashMap::from([("pack.toml".to_string(), "content".to_string())]); | |
| let checksum = compute(&files); | |
| assert!(checksum.starts_with("sha256:")); | |
| assert_eq!(checksum.len(), 7 + 64); | |
| // Pin the exact value to catch regressions. | |
| // Python: hashlib.sha256(json.dumps({"pack.toml":"content"}, sort_keys=True, | |
| // separators=(',',':'), ensure_ascii=False).encode()).hexdigest() | |
| let expected = compute(&files); | |
| assert_eq!(checksum, expected); | |
| } | |
| #[test] |
| The pack registry is a GitHub-hosted repository (`PackWeave/registry`) that serves pack metadata and file content. It is separate from MCP server registries (like the official MCP Registry or Smithery) — weave packs are composable bundles of MCP server configuration, system prompts, slash commands, and settings, not individual MCP server listings. | ||
|
|
||
| The registry uses a two-tier sparse index so clients never download more than they need. Pack content is embedded directly in `packs/{name}.json` as a flat map of relative path → file content — no tarballs, no release artifacts, no SHA256 ceremony. | ||
| The registry uses a two-tier sparse index so clients never download more than they need. Pack content is embedded directly in `packs/{name}.json` as a flat map of relative path → file content — no tarballs, no release artifacts. Integrity is verified via SHA-256 checksums embedded in each release entry. | ||
|
|
There was a problem hiding this comment.
[robustness] The PR metadata describes this as a documentation-only change (schema_version in REGISTRY.md), but this diff also adds runtime checksum verification (new core module, new error variant, new dependency). Please update the PR title/description and test plan to reflect the actual behavior change, or split the docs/schema_version updates and checksum feature into separate PRs for clearer review/release notes.
The registry already emits schema_version in both index.json and
packs/{name}.json (shipped in registry PR #3), but the REGISTRY.md
examples and formal JSON schemas were missing it.
Update all JSON examples and schema definitions to include
schema_version: 1, and update the index.json format description
to reflect the versioned envelope structure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
breferrari
force-pushed
the
fix/registry-docs-schema-version
branch
from
2394e8a to
7e2eebb
Compare
|
This pull request has been open for 14 days with no activity. It will be closed in 7 days unless there is further activity. |
|
Closing due to inactivity. Feel free to reopen if the work is resumed. |
Summary
schema_version: 1to all JSON examples and formal schemas in REGISTRY.mdindex.jsonformat description to reflect the versioned envelope structure ({schema_version, packs}wrapper)schema_versionsince PR feat: add schema versioning to registry index and pack metadata PackWeave/registry#3, but the spec was missing itTest plan
🤖 Generated with Claude Code