feat(registry): add delegated release contracts#1918
Conversation
🦋 Changeset detectedLatest commit: 649de62 The changes in this PR will be included in the next version bump. This PR includes changesets to release 19 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
emdash-demo-do | 649de62 | Jul 10 2026, 02:53 PM |
2e778e4
into
feat/delegated-release-service
There was a problem hiding this comment.
This PR is a focused contract-only change: it adds the new profileExtension lexicon for delegated-release policy on package profiles, extends the existing releaseExtension with optional provenance references, regenerates the typed schemas, and keeps the hand-maintained NSID map in sync. The approach fits the approved Discussion/RFC and the experimental registry package, and it correctly defers cross-record semantic enforcement (e.g. requireProvenance) to later consumers.
I inspected the lexicon JSON, generated TypeScript schemas, src/index.ts exports, the changeset, and the new tests. The changeset is present and targets the right package with a minor bump. No admin UI / i18n / SQL / auth code is touched, so the bulk of the AGENTS.md conventions do not apply here. I did not run the test suite or linter; my conclusions are based on static code inspection.
No blocking issues. I have one small suggestion to improve a test so it actually exercises the schema rule it claims to test.
| $type: NSID.packageProfileExtension, | ||
| repository: "https://github.com/example/gallery", | ||
| releasePolicy: { | ||
| approvers: Array.from({ length: 33 }, (_, index) => `did:plc:${index}`), |
There was a problem hiding this comment.
[suggestion] The test name says it rejects an oversized approver list, but the 33 entries are did:plc:${index} (e.g. did:plc:0, did:plc:1, …). These are syntactically invalid did:plc identifiers, so the schema will most likely reject for the DID format before it ever checks the 32-item cap. The test still passes, but it doesn't prove the length limit works.
Use distinct, syntactically valid DIDs so the array-length rule is the actual reason for rejection:
| approvers: Array.from({ length: 33 }, (_, index) => `did:plc:${index}`), | |
| approvers: Array.from({ length: 33 }, (_, index) => `did:web:example${index}.com`), |
What does this PR do?
Implements the delegated release service's experimental record contract from RFC #1870:
This is the shared contract PR. Consumer changes remain blocked until it merges into
feat/delegated-release-service.Related to #1908, #1870, and Discussion #1590.
Type of change
Checklist
pnpm typecheckpassespnpm lintpassespnpm testpasses (or targeted tests for my change)pnpm formathas been runmessages.pochanges except in translation PRs — a workflow extracts catalogs on merge tomain.i18n is not applicable: no admin UI is changed.
AI-generated code disclosure
Screenshots / test output
pnpm buildpasses with existing virtual-import and deliberate test-pluginevalwarningspnpm --filter @emdash-cms/registry-lexicons testpasses: 18 testspnpm --filter @emdash-cms/registry-lexicons typecheckpassespnpm lintpasses with 0 warnings/errorspnpm --filter @emdash-cms/registry-lexicons regenis cleangit diff --checkpasspublintpasses;attw --packthen hits the knownfilenamecrash also reproduced in unchanged registry packages