Package Registry

This document describes the 0x0 package registry paths:

• tools/package-registry.py keeps the deterministic file-backed registry

compatibility slice.

• tools/remote-package-ecosystem.py implements the production remote registry

resolver, compiler-consumable cache lock generation, publish workflow, signed

provenance, rollback, yanking, tombstone, advisory, and namespace governance

evidence.

Scope

The registry index is generated from 0x0.lock. Each local dependency becomes

one package row with:

• package name;
• version;
• source path;
• SHA-256 checksum;
• active/yanked status;
• artifact URL;
• provenance.

The current artifact URL scheme is file:<relative-source-path>. Absolute

paths and parent traversal are rejected by the resolver.

Resolver

tools/package-registry.py provides three commands:

python3 tools/package-registry.py build-index --out build/package-registry/index.tsv
python3 tools/package-registry.py resolve \
  --index build/package-registry/index.tsv \
  --name web-runtime \
  --cache build/package-registry/cache \
  --lock-out build/package-registry/resolved.lock
python3 tools/package-registry.py check

Resolution verifies:

• one matching package/version row exists;
• the package row is active and not yanked;
• the artifact URL is supported and safe;
• the source checksum matches the registry metadata;
• the copied cache artifact still matches the checksum.

The resolver writes a deterministic registry lock:

package-registry-lock 1
dependency web-runtime 0.1.0 build/package-registry/cache/web-runtime/0.1.0/source.0x0 <sha256>

Gate

Use the bounded gate:

make package-registry-check

The gate builds a local registry index, resolves web-runtime into a cache,

checks the generated lock, and verifies negative yanked and duplicate-version

resolution failures. It does not run broad library compilation or make network

requests.

Remote Registry Protocol

Remote package resolution is implemented by tools/remote-package-ecosystem.py.

Remote registry metadata is JSON with `registry:

0x0-remote-registry-v1`. Each package row records:

• package name and SemVer version, including explicit prerelease handling;
• artifact URL, either relative to the registry URL or absolute http,

https, or file;

• SHA-256 checksum;
• active, yanked, and tombstone state;
• namespace owner;
• dependency constraints;
• provenance;
• advisory metadata;
• deterministic 0x0-registry-signature value.

Use:

python3 tools/remote-package-ecosystem.py resolve \
  --registry-url https://libs.jmp0x1b.com/registry.json \
  --registry-cache build/remote-registry/cache/registry.json \
  --name app \
  --version 1.0.0 \
  --cache build/remote-registry/cache \
  --lock-out build/remote-registry/0x0.lock

The resolver fetches registry metadata, verifies package signatures, solves

transitive SemVer constraints, rejects yanked/tombstoned/critical-advisory

packages, fetches artifacts, verifies checksums, writes a local cache, and

emits a compiler-consumable lockfile whose pkg: entries point at cached

source files.

Offline mode uses the saved registry cache plus the artifact cache:

python3 tools/remote-package-ecosystem.py resolve \
  --registry-url https://libs.jmp0x1b.com/registry.json \
  --registry-cache build/remote-registry/cache/registry.json \
  --name app \
  --version 1.0.0 \
  --cache build/remote-registry/cache \
  --lock-out build/remote-registry/offline.0x0.lock \
  --offline

Publishing and governance evidence is generated with:

python3 tools/remote-package-ecosystem.py publish \
  --package app \
  --version 1.0.0 \
  --artifact libs/app/src/lib.0x0 \
  --out-dir build/remote-registry/publish \
  --namespace app \
  --owner release \
  --signing-key env:ZERO_REGISTRY_SIGNING_KEY

The publish workflow emits registry metadata and records for publish, verify,

promote, yank, deprecate, rollback, ownership, advisory, and provenance.

Remote Gate

Use the bounded remote ecosystem gate:

make remote-package-ecosystem-check

The gate starts a loopback HTTP registry, resolves a transitive package graph,

selects the highest compatible SemVer version, writes a compiler-compatible

lock, proves offline cache reuse, resolves an explicit prerelease, rejects

yanked packages, rejects critical-advisory packages, rejects checksum

corruption, and verifies signed publish/rollback/advisory workflow evidence.

Standard Library Registry Entry

libs/registry.tsv includes the public stdlib package. Its source is

libs/stdlib/src/lib.0x0, its standalone README is

libs/stdlib/README.html, and its public package page is

site/libs/stdlib.html.

The stdlib entry is part of the 0x0 library registry website and is also

checked by:

make stdlib-parity-check

That gate verifies that every standard-library module family in

libs/stdlib/modules.tsv is current and backed by 0x0 package source,

standalone docs, registry metadata, API cross-reference text, and executable

smoke evidence.